AWS-ANS-C01 & AWS CERTIFICATION | VPC Endpoints (Interface & Gateway) - AWS Certified Advanced Networking

2.1.3. VPC Endpoints (Interface & Gateway)

VPC Endpoints provide private and secure connectivity to AWS services from within your VPC, bypassing the public internet and NAT Gateways, enhancing security and potentially reducing costs.

Scenario: You need to securely access Amazon S3 and Amazon CloudWatch from EC2 instances in a private subnet. This traffic currently routes through a NAT Gateway, incurring significant costs and introducing internet exposure.

Normally, instances in a private subnet needing to access AWS services (like Amazon S3) would route traffic through a NAT Gateway or an Internet Gateway. VPC Endpoints eliminate this need, providing a more secure and often more cost-effective solution.

Key Types of VPC Endpoints:

Gateway Endpoints:
- What they are: A gateway that you specify as a target for a route in your route table.
- Supported Services: Only for Amazon S3 and Amazon DynamoDB.
- Benefits: Free of charge (no data processing fees), no need for NAT Gateway or Internet Gateway for these services.
- Endpoint Policy: Control access to services via an endpoint policy.
Interface Endpoints (powered by AWS PrivateLink):
- What they are: An Elastic Network Interface (ENI) with a private IP address that serves as an entry point for traffic to a service.
- Supported Services: A wide range of AWS services (e.g., CloudWatch, Kinesis, Systems Manager, SageMaker), as well as SaaS applications and services hosted by other AWS customers.
- Benefits: Private connectivity, higher security, typically lower cost than NAT Gateway egress for large volumes.
- Endpoint Policy: Control access.

Practical Implementation: Creating an S3 Gateway Endpoint

# Assuming VPC_ID and PRIVATE_ROUTE_TABLE_ID are already defined
# 1. Create the S3 Gateway Endpoint
ENDPOINT_ID=$(aws ec2 create-vpc-endpoint \
  --vpc-id $VPC_ID \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids $PRIVATE_ROUTE_TABLE_ID \
  --query VpcEndpoint.VpcEndpointId --output text)
echo "S3 Gateway Endpoint ID: $ENDPOINT_ID"

# Note: A route to the S3 service prefix is automatically added to the specified route table.
# You can verify this by:
aws ec2 describe-route-tables --route-table-ids $PRIVATE_ROUTE_TABLE_ID

⚠️ Common Pitfall: Using a NAT Gateway for S3 or DynamoDB access from private subnets. This is an unnecessary cost and security exposure when a free Gateway Endpoint is available.

Key Trade-Offs:

Cost (Gateway) vs. Service Coverage (Interface): Gateway Endpoints are free but only support S3 and DynamoDB. Interface Endpoints support a wider range of services but incur hourly charges and data processing fees.

Reflection Question: How do VPC Endpoints (differentiating between Gateway Endpoints for S3 and Interface Endpoints for CloudWatch) fundamentally provide private and secure connectivity to AWS services from within your VPC, bypassing the public internet and NAT Gateways for enhanced security and cost optimization?