Back to Articles
Cloud & AWS

VPC Endpoints: Private Connectivity to AWS Services

Understanding Gateway and Interface Endpoints for Secure Service Access

Alex Lux2023-11-246 min read
AWSVPC EndpointsPrivateLinkS3DynamoDB
VPC Endpoints: Private Connectivity to AWS Services
Use this link for review flash cards

VPC Endpoints: Private Connectivity to AWS Services

VPC Endpoints enable private connectivity between your VPC and AWS services without requiring an Internet Gateway, NAT Gateway, VPN connection, or AWS Direct Connect. This provides a secure, scalable, and cost-effective way to access AWS services while keeping traffic within the AWS network. This article explores both Gateway Endpoints and Interface Endpoints, their use cases, and security configurations.

Understanding VPC Endpoints

VPC Endpoints allow you to connect to AWS services using a private network instead of the public internet. They provide several key benefits:

Key Benefits

  1. Private Connectivity: Traffic stays within the AWS network
  2. No Internet Gateway Required: Eliminates need for IGW or NAT Gateway for AWS service access
  3. Horizontally Scaled: Redundant and highly available
  4. No Bandwidth Constraints: No limitations on network traffic
  5. Enhanced Security: Traffic doesn't traverse the public internet

Endpoint Types

AWS provides two types of VPC Endpoints:

Gateway Endpoint:

  • Provisions a target used in route tables
  • Supported services: Amazon S3 and DynamoDB
  • Free to use (no hourly charges)

Interface Endpoint:

  • Provisions an ENI (Elastic Network Interface) with private IP
  • Supported services: Most other AWS services
  • Charged per hour and data processing

Gateway Endpoints

Gateway Endpoints provide private connectivity to Amazon S3 and DynamoDB.

How Gateway Endpoints Work

  1. Create Endpoint: Create a gateway endpoint for S3 or DynamoDB
  2. Modify Route Tables: Add route entry pointing to the gateway endpoint
  3. Prefix List: AWS creates a prefix list (pl-xxxxxxxx) containing service IP addresses
  4. Automatic Routing: Traffic to S3/DynamoDB routes through the endpoint

Gateway Endpoint Characteristics

Supported Services:

  • Amazon S3
  • Amazon DynamoDB

Configuration:

  • Must be added to route tables
  • Prefix list created automatically
  • No ENI created (unlike Interface Endpoints)

Cost: Free (no hourly or data processing charges)

Availability: Highly available and redundant

Setting Up Gateway Endpoints

For S3:

  1. Navigate to VPC → Endpoints → Create Endpoint
  2. Select "com.amazonaws.region.s3"
  3. Select VPC and route tables
  4. Create endpoint

For DynamoDB:

  1. Navigate to VPC → Endpoints → Create Endpoint
  2. Select "com.amazonaws.region.dynamodb"
  3. Select VPC and route tables
  4. Create endpoint

Prefix Lists

When you create an S3 or DynamoDB gateway endpoint:

  • AWS creates a prefix list in your VPC
  • Format: pl-xxxxxxxx
  • Contains collection of IP addresses the service uses
  • Available in:
    • Subnet routing tables
    • Security groups

Security Group Configuration:

  • Add prefix list to outbound rules if default "Allow All" rule is removed
  • Enables traffic to S3/DynamoDB through the endpoint

Interface Endpoints

Interface Endpoints provide private connectivity to most AWS services using AWS PrivateLink.

How Interface Endpoints Work

  1. Create Endpoint: Create interface endpoint for desired service
  2. ENI Creation: AWS creates ENIs in your subnets (one per AZ)
  3. Private IP Assignment: Each ENI gets a private IP address
  4. DNS Resolution: Regional and zonal DNS entries created
  5. Traffic Routing: Service traffic routes through private IPs

Interface Endpoint Characteristics

Supported Services: Most AWS services (EC2, S3, SQS, Lambda, etc.)

High Availability:

  • Create one endpoint per Availability Zone
  • Each endpoint in different AZ for redundancy
  • Automatic failover between AZs

Cost:

  • Per hour charge: ~$0.01/hour per AZ
  • Data processing: ~$0.01/GB

Security:

  • Uses Security Groups (inbound rules)
  • Traffic stays within AWS network
  • Supports IPv4 traffic only
  • Supports TCP protocol only

DNS Configuration

Interface endpoints create DNS entries:

Regional DNS:

  • Format: vpce-xxxxx-xxxxx.service.region.vpce.amazonaws.com
  • Returns IP addresses for all AZ endpoints
  • Example: vpce-0b7d2995e9dfe5418-mwrths3x.athena.us-east-1.vpce.amazonaws.com

Zonal DNS:

  • Format: vpce-xxxxx-xxxxx-az.service.region.vpce.amazonaws.com
  • Returns IP for specific AZ endpoint
  • Example: vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1a.athena.us-east-1.vpce.amazonaws.com

Private DNS:

  • With Private DNS enabled, use service's default DNS
  • Example: athena.us-east-1.amazonaws.com resolves to private endpoint IP
  • Requires: enableDnsHostnames and enableDnsSupport both set to True

Interface Endpoint Access

Interface endpoints can be accessed through:

  • Direct Connect
  • AWS Managed VPN
  • VPC Peering connections

This enables hybrid cloud scenarios where on-premises resources can access AWS services privately.

VPC Endpoint Security

VPC Endpoints provide granular access control compared to broad access through VPC peering.

Endpoint Policies

VPC Endpoint policies are IAM policies attached to endpoints that control access.

Default Policy: Allows full control to the AWS service

Custom Policy Example - Restrict S3 Access:

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my_secure_bucket",
        "arn:aws:s3:::my_secure_bucket/*"
      ]
    }
  ]
}

Custom Policy Example - Restrict DynamoDB Access:

{
  "Statement": [
    {
      "Sid": "AccessToSpecificTable",
      "Principal": "*",
      "Action": [
        "dynamodb:Batch*",
        "dynamodb:Delete*",
        "dynamodb:DescribeTable",
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Update*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/StockTable"
    }
  ]
}

S3 Bucket Policies

You can also restrict access at the S3 bucket level:

Restrict to Specific VPC Endpoint:

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPCE-only",
      "Principal": "*",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::my_secure_bucket",
        "arn:aws:s3:::my_secure_bucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "vpce-1a2b3c4d"
        }
      }
    }
  ]
}

Restrict to Specific VPC:

{
  "Condition": {
    "StringEquals": {
      "aws:sourceVpc": "vpc-111bbb22"
    }
  }
}

Security Best Practices

  1. Use Endpoint Policies: Restrict access to specific resources
  2. Combine with Bucket Policies: Use both endpoint and bucket policies for defense in depth
  3. Security Groups: Configure security groups for interface endpoints
  4. Monitor Access: Use CloudTrail to monitor endpoint access
  5. Least Privilege: Grant minimum necessary permissions

Endpoint Policy vs Bucket Policy

Understanding when to use each:

Endpoint Policy:

  • Controls what can be accessed through the endpoint
  • Applied at the endpoint level
  • Works for both S3 and DynamoDB

Bucket Policy:

  • Controls access to the bucket itself
  • Can restrict based on aws:sourceVpce or aws:sourceVpc
  • More granular control at resource level

Combined Approach:

  • Use endpoint policy for service-level restrictions
  • Use bucket policy for resource-level restrictions
  • Provides defense in depth

Use Cases

Cost Optimization

Eliminate NAT Gateway Costs:

  • Use VPC endpoints for AWS services
  • Avoid data transfer through NAT Gateway
  • Reduce internet gateway usage

Reduce Data Transfer Costs:

  • Traffic through endpoints stays in AWS network
  • No internet data transfer charges
  • Lower costs for high-volume AWS service access

Security Enhancement

Private Connectivity:

  • Traffic never leaves AWS network
  • No exposure to public internet
  • Enhanced security posture

Compliance:

  • Meet requirements for private connectivity
  • No internet exposure for sensitive data
  • Audit trail through CloudTrail

Hybrid Cloud

On-Premises Access:

  • Access AWS services from on-premises via Direct Connect
  • Use VPN connections for secure access
  • Maintain private connectivity

Best Practices

Endpoint Design

  1. Multi-AZ Deployment: Create endpoints in multiple AZs for high availability
  2. Route Table Configuration: Associate endpoints with appropriate route tables
  3. Security Group Design: Configure security groups for interface endpoints
  4. DNS Configuration: Enable private DNS for seamless integration

Cost Optimization

  1. Use Gateway Endpoints: For S3 and DynamoDB (free)
  2. Evaluate Interface Endpoints: Consider cost vs benefits
  3. Monitor Usage: Track endpoint usage and costs
  4. Optimize Data Transfer: Minimize unnecessary data transfer

Security

  1. Endpoint Policies: Implement least privilege access
  2. Bucket Policies: Add additional security layers
  3. Security Groups: Restrict access to endpoints
  4. Monitoring: Monitor endpoint access and usage

Troubleshooting

Common Issues

DNS Resolution Not Working:

  • Check enableDnsSupport and enableDnsHostnames are both True
  • Verify private DNS is enabled for interface endpoints
  • Check security groups allow DNS traffic

Access Denied:

  • Verify endpoint policy allows required actions
  • Check bucket/resource policies
  • Review IAM permissions

Connectivity Issues:

  • Verify route tables are configured correctly
  • Check security groups for interface endpoints
  • Verify endpoint is in correct subnets

Conclusion

VPC Endpoints provide a secure, scalable, and cost-effective way to access AWS services privately. Gateway Endpoints offer free connectivity to S3 and DynamoDB, while Interface Endpoints enable private access to most AWS services. Understanding when to use each type, how to configure security, and best practices helps you build secure and efficient network architectures.

By leveraging VPC Endpoints, you can reduce costs, enhance security, and simplify network architecture while maintaining private connectivity to AWS services. Whether you're optimizing costs, meeting compliance requirements, or building hybrid cloud solutions, VPC Endpoints provide the foundation for private AWS service access.

In the next article, we'll explore AWS Transit Gateway, a powerful service for connecting multiple VPCs and on-premises networks. Stay tuned!

Related Reading