Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.1.3. VPC Endpoints: Interface and Gateway

šŸ’” First Principle: By default, traffic from your EC2 instances to AWS services (S3, DynamoDB, KMS) travels over the public internet ā€” even though both the source and destination are AWS. VPC endpoints create private paths for this traffic, keeping it on the AWS backbone, eliminating the need for a NAT gateway for these services, and reducing data transfer costs.

Two Types of VPC Endpoints:
FeatureGateway EndpointInterface Endpoint
Services supportedS3, DynamoDB only100+ AWS services
How it worksRoute table entry pointing to endpointENI with private IP in your subnet
CostFree~$0.01/hour + data processing
DNS resolutionAutomatic via route tableRequires private DNS (enabled by default)
Cross-regionāŒ NoāŒ No (same region only)
PrivateLink-basedāŒ Noāœ… Yes

Gateway Endpoints are the simplest ā€” you add them to a route table and traffic to S3 or DynamoDB is automatically routed through the endpoint. No security groups, no ENIs, no cost. For S3 and DynamoDB, always use gateway endpoints in private subnets.

Interface Endpoints (powered by AWS PrivateLink) create an ENI in your subnet for any supported AWS service. The ENI gets a private IP from your subnet's CIDR range. When private DNS is enabled, the service's public DNS name (e.g., ec2.us-east-1.amazonaws.com) resolves to the private ENI IP instead of the public endpoint ā€” your application code requires no changes.

Endpoint Policies: Both gateway and interface endpoints support resource-based policies that control which API actions and resources can be accessed through the endpoint:

{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::company-data-bucket/*"
}

This restricts S3 access through the endpoint to only GetObject on a specific bucket ā€” even if the EC2 instance's IAM role allows broader S3 access.

āš ļø Exam Trap: Gateway endpoints are region-scoped ā€” an S3 gateway endpoint in us-east-1 routes traffic to S3 in us-east-1. It does not provide private routing to S3 buckets in us-west-2. Cross-region S3 access from a private subnet still requires a NAT gateway (or S3 Transfer Acceleration via PrivateLink, which is a separate, more complex pattern). The exam may test whether you know that an endpoint doesn't automatically cover cross-region bucket access.

Reflection Question: An EC2 instance in a private subnet (no NAT gateway) needs to access an S3 bucket in the same region and call the Secrets Manager API. What two VPC endpoint types do you create, and what is the cost implication of each?

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications