By default, when you access AWS services (like S3, DynamoDB, or CloudWatch) from your VPC,
the traffic goes over the public internet β even if youβre inside AWS.
VPC Endpoints allow you to connect privately to AWS services using the AWS internal network,
without using the public internet.
| Benefit | Description |
|---|
| Enhanced Security | Traffic never leaves AWSβs private backbone. No exposure to public internet. |
| Lower Latency | Fewer network hops, faster communication. |
| Simpler Configuration | No need for Internet Gateways, NAT Gateways, or public IPs. |
| Cost Optimization | Reduces NAT Gateway data processing costs for private traffic. |
| Type | Used For | Description |
|---|
| Gateway Endpoint | πͺ£ S3, π’ DynamoDB | A route added to your route table that directs traffic privately. |
| Interface Endpoint | π¬ Most other AWS services | Uses Elastic Network Interfaces (ENIs) in your subnet to connect privately to the service. |
𧩠Gateway Endpointβ
- Used only for Amazon S3 and DynamoDB.
- Adds an entry in the route table of your VPC.
- Traffic to these services stays within AWSβs private network.
Example:
Private Subnet β Gateway Endpoint β S3/DynamoDB (Private)
𧩠Interface Endpointβ
- Used for all other AWS services (e.g., CloudWatch, EC2 API, KMS, SNS, etc.).
- Creates a private Elastic Network Interface (ENI) in your subnet.
- The ENI connects to the service via AWS PrivateLink.
π Example: Interface Endpoint for CloudWatchβ
- EC2 in private subnet sends metrics to CloudWatch privately.
- A private ENI is created in the subnet.
- Traffic never leaves AWSβs internal network.
Exam Tipsβ
| Topic | Key Point |
|---|
| Gateway Endpoint Services | Only S3 and DynamoDB |
| Interface Endpoint Services | Almost every other AWS service |
| Underlying Tech | Interface endpoints use AWS PrivateLink |
| Region Support | Works within the same region (no transitive routing) |
| Internet Required? | β No β stays inside AWS network |
| Security Groups | Required for Interface Endpoints (because they create ENIs) |
β
Summaryβ
| Concept | Gateway Endpoint | Interface Endpoint |
|---|
| Used For | S3, DynamoDB | Most other services |
| Mechanism | Route table entry | Elastic Network Interface (ENI) |
| Technology | Native VPC routing | AWS PrivateLink |
| Requires SG? | β No | β
Yes |
| Transitive? | β No | β No |
| Example Service | S3, DynamoDB | CloudWatch, EC2, SNS, SSM |
