VPC Endpoints: Private Connectivity to AWS Services
VPC Endpoints enable private connectivity between your VPC and AWS services without requiring an Internet Gateway, NAT Gateway, VPN connection, or AWS Direct Connect. This provides a secure, scalable, and cost-effective way to access AWS services while keeping traffic within the AWS network. This article explores both Gateway Endpoints and Interface Endpoints, their use cases, and security configurations.
Understanding VPC Endpoints
VPC Endpoints allow you to connect to AWS services using a private network instead of the public internet. They provide several key benefits:
Key Benefits
- Private Connectivity: Traffic stays within the AWS network
- No Internet Gateway Required: Eliminates need for IGW or NAT Gateway for AWS service access
- Horizontally Scaled: Redundant and highly available
- No Bandwidth Constraints: No limitations on network traffic
- Enhanced Security: Traffic doesn't traverse the public internet
Endpoint Types
AWS provides two types of VPC Endpoints:
Gateway Endpoint:
- Provisions a target used in route tables
- Supported services: Amazon S3 and DynamoDB
- Free to use (no hourly charges)
Interface Endpoint:
- Provisions an ENI (Elastic Network Interface) with private IP
- Supported services: Most other AWS services
- Charged per hour and data processing
Gateway Endpoints
Gateway Endpoints provide private connectivity to Amazon S3 and DynamoDB.
How Gateway Endpoints Work
- Create Endpoint: Create a gateway endpoint for S3 or DynamoDB
- Modify Route Tables: Add route entry pointing to the gateway endpoint
- Prefix List: AWS creates a prefix list (pl-xxxxxxxx) containing service IP addresses
- Automatic Routing: Traffic to S3/DynamoDB routes through the endpoint
Gateway Endpoint Characteristics
Supported Services:
- Amazon S3
- Amazon DynamoDB
Configuration:
- Must be added to route tables
- Prefix list created automatically
- No ENI created (unlike Interface Endpoints)
Cost: Free (no hourly or data processing charges)
Availability: Highly available and redundant
Setting Up Gateway Endpoints
For S3:
- Navigate to VPC → Endpoints → Create Endpoint
- Select "com.amazonaws.region.s3"
- Select VPC and route tables
- Create endpoint
For DynamoDB:
- Navigate to VPC → Endpoints → Create Endpoint
- Select "com.amazonaws.region.dynamodb"
- Select VPC and route tables
- Create endpoint
Prefix Lists
When you create an S3 or DynamoDB gateway endpoint:
- AWS creates a prefix list in your VPC
- Format:
pl-xxxxxxxx - Contains collection of IP addresses the service uses
- Available in:
- Subnet routing tables
- Security groups
Security Group Configuration:
- Add prefix list to outbound rules if default "Allow All" rule is removed
- Enables traffic to S3/DynamoDB through the endpoint
Interface Endpoints
Interface Endpoints provide private connectivity to most AWS services using AWS PrivateLink.
How Interface Endpoints Work
- Create Endpoint: Create interface endpoint for desired service
- ENI Creation: AWS creates ENIs in your subnets (one per AZ)
- Private IP Assignment: Each ENI gets a private IP address
- DNS Resolution: Regional and zonal DNS entries created
- Traffic Routing: Service traffic routes through private IPs
Interface Endpoint Characteristics
Supported Services: Most AWS services (EC2, S3, SQS, Lambda, etc.)
High Availability:
- Create one endpoint per Availability Zone
- Each endpoint in different AZ for redundancy
- Automatic failover between AZs
Cost:
- Per hour charge: ~$0.01/hour per AZ
- Data processing: ~$0.01/GB
Security:
- Uses Security Groups (inbound rules)
- Traffic stays within AWS network
- Supports IPv4 traffic only
- Supports TCP protocol only
DNS Configuration
Interface endpoints create DNS entries:
Regional DNS:
- Format:
vpce-xxxxx-xxxxx.service.region.vpce.amazonaws.com - Returns IP addresses for all AZ endpoints
- Example:
vpce-0b7d2995e9dfe5418-mwrths3x.athena.us-east-1.vpce.amazonaws.com
Zonal DNS:
- Format:
vpce-xxxxx-xxxxx-az.service.region.vpce.amazonaws.com - Returns IP for specific AZ endpoint
- Example:
vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1a.athena.us-east-1.vpce.amazonaws.com
Private DNS:
- With Private DNS enabled, use service's default DNS
- Example:
athena.us-east-1.amazonaws.comresolves to private endpoint IP - Requires:
enableDnsHostnamesandenableDnsSupportboth set toTrue
Interface Endpoint Access
Interface endpoints can be accessed through:
- Direct Connect
- AWS Managed VPN
- VPC Peering connections
This enables hybrid cloud scenarios where on-premises resources can access AWS services privately.
VPC Endpoint Security
VPC Endpoints provide granular access control compared to broad access through VPC peering.
Endpoint Policies
VPC Endpoint policies are IAM policies attached to endpoints that control access.
Default Policy: Allows full control to the AWS service
Custom Policy Example - Restrict S3 Access:
{
"Statement": [
{
"Sid": "Access-to-specific-bucket-only",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject"],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"
]
}
]
}
Custom Policy Example - Restrict DynamoDB Access:
{
"Statement": [
{
"Sid": "AccessToSpecificTable",
"Principal": "*",
"Action": [
"dynamodb:Batch*",
"dynamodb:Delete*",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Update*"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/StockTable"
}
]
}
S3 Bucket Policies
You can also restrict access at the S3 bucket level:
Restrict to Specific VPC Endpoint:
{
"Version": "2012-10-17",
"Id": "Policy1415115909152",
"Statement": [
{
"Sid": "Access-to-specific-VPCE-only",
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::my_secure_bucket",
"arn:aws:s3:::my_secure_bucket/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
Restrict to Specific VPC:
{
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
Security Best Practices
- Use Endpoint Policies: Restrict access to specific resources
- Combine with Bucket Policies: Use both endpoint and bucket policies for defense in depth
- Security Groups: Configure security groups for interface endpoints
- Monitor Access: Use CloudTrail to monitor endpoint access
- Least Privilege: Grant minimum necessary permissions
Endpoint Policy vs Bucket Policy
Understanding when to use each:
Endpoint Policy:
- Controls what can be accessed through the endpoint
- Applied at the endpoint level
- Works for both S3 and DynamoDB
Bucket Policy:
- Controls access to the bucket itself
- Can restrict based on
aws:sourceVpceoraws:sourceVpc - More granular control at resource level
Combined Approach:
- Use endpoint policy for service-level restrictions
- Use bucket policy for resource-level restrictions
- Provides defense in depth
Use Cases
Cost Optimization
Eliminate NAT Gateway Costs:
- Use VPC endpoints for AWS services
- Avoid data transfer through NAT Gateway
- Reduce internet gateway usage
Reduce Data Transfer Costs:
- Traffic through endpoints stays in AWS network
- No internet data transfer charges
- Lower costs for high-volume AWS service access
Security Enhancement
Private Connectivity:
- Traffic never leaves AWS network
- No exposure to public internet
- Enhanced security posture
Compliance:
- Meet requirements for private connectivity
- No internet exposure for sensitive data
- Audit trail through CloudTrail
Hybrid Cloud
On-Premises Access:
- Access AWS services from on-premises via Direct Connect
- Use VPN connections for secure access
- Maintain private connectivity
Best Practices
Endpoint Design
- Multi-AZ Deployment: Create endpoints in multiple AZs for high availability
- Route Table Configuration: Associate endpoints with appropriate route tables
- Security Group Design: Configure security groups for interface endpoints
- DNS Configuration: Enable private DNS for seamless integration
Cost Optimization
- Use Gateway Endpoints: For S3 and DynamoDB (free)
- Evaluate Interface Endpoints: Consider cost vs benefits
- Monitor Usage: Track endpoint usage and costs
- Optimize Data Transfer: Minimize unnecessary data transfer
Security
- Endpoint Policies: Implement least privilege access
- Bucket Policies: Add additional security layers
- Security Groups: Restrict access to endpoints
- Monitoring: Monitor endpoint access and usage
Troubleshooting
Common Issues
DNS Resolution Not Working:
- Check
enableDnsSupportandenableDnsHostnamesare bothTrue - Verify private DNS is enabled for interface endpoints
- Check security groups allow DNS traffic
Access Denied:
- Verify endpoint policy allows required actions
- Check bucket/resource policies
- Review IAM permissions
Connectivity Issues:
- Verify route tables are configured correctly
- Check security groups for interface endpoints
- Verify endpoint is in correct subnets
Conclusion
VPC Endpoints provide a secure, scalable, and cost-effective way to access AWS services privately. Gateway Endpoints offer free connectivity to S3 and DynamoDB, while Interface Endpoints enable private access to most AWS services. Understanding when to use each type, how to configure security, and best practices helps you build secure and efficient network architectures.
By leveraging VPC Endpoints, you can reduce costs, enhance security, and simplify network architecture while maintaining private connectivity to AWS services. Whether you're optimizing costs, meeting compliance requirements, or building hybrid cloud solutions, VPC Endpoints provide the foundation for private AWS service access.
In the next article, we'll explore AWS Transit Gateway, a powerful service for connecting multiple VPCs and on-premises networks. Stay tuned!