Get started with AWS VPC Endpoints

AWS VPC Endpoints allow you to privately connect your Virtual Private Cloud (VPC) to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an Internet gateway, NAT Gateway, VPN connection, or AWS Direct Connect. Communication occurs entirely over the Amazon network, providing enhanced security and lower latency compared to internet-based connections.

💡

AWS PrivateLink is a feature of Amazon Virtual Private Cloud (Amazon VPC) that provides private connectivity between VPCs and AWS services. Network traffic that uses PrivateLink doesn't travel over the public internet, which reduces the risk of external threats, such as exposure to brute force and distributed denial-of-service (DDoS) attacks. It provides a way for two parties to establish private connectivity without requiring an internet gateway. Both parties can deploy private VPCs that are insulated from threats on the internet.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available Amazon VPC components that allow communication between instances in an Amazon VPC and services without imposing availability risks or bandwidth constraints on network traffic.

There are two main types of VPC Endpoints:

Interface Endpoint: Uses an Elastic Network Interface (ENI) in your VPC powered by AWS PrivateLink to connect to AWS services (e.g., S3, DynamoDB, etc.), AWS partners or other AWS accounts. Interface endpoints currently support many AWS managed services. Check the documentation for VPC endpoints for a list of AWS services that are available over AWS PrivateLink.
Gateway Endpoint: A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list, used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3). Gateway endpoints do not enable AWS PrivateLink.

Refer to the following figure, which shows connectivity to AWS services using VPC endpoints.

Image credits: AWS

❗

NAT Gateway plus Internet gateway is the answer if resources must establish a connection with a third party outside of AWS.

Why Do We Need VPC Endpoints?

Enhanced Security:
- Avoid exposing resources to the public internet.
- All traffic between your VPC and AWS services remains within the AWS network.
Reduced Latency:
- Data travels directly within the AWS global infrastructure, reducing latency compared to public internet communication.
Cost Optimization:
- Avoid data transfer costs associated with internet gateways or NAT gateways.
  
  ❗
  
  Keep in mind these rules: Use Interface Endpoints if you are accessing no more than 4 different services. For S3 and DynamoDB access use Gateway Endpoint. Creation of Gateway endpoints are free of charge, while Interface Endpoints incur some additional costs.
Compliance and Isolation:
- Meet strict compliance and regulatory requirements by avoiding internet-bound data transfers.
Simplified Architecture:
- Eliminate the need for complex network configurations such as NAT gateways or VPNs for AWS service access.

Use Cases for VPC Endpoints

Private S3 Access:
- Organizations want to securely access Amazon S3 buckets from their VPC without traversing the public internet.
Database Communication:
- Securely interact with AWS database services such as DynamoDB or RDS Proxy using interface endpoints.
  
  Image credits: AWS News Blog
Access Third-Party Services:
- Use AWS PrivateLink to access SaaS applications securely from your VPC.
  
  The following diagram shows how you use VPC endpoints to connect to SaaS products. The service provider creates an endpoint service and grants their customers access to the endpoint service. As the service consumer, you create an interface VPC endpoint, which establishes connections between one or more subnets in your VPC and the endpoint service.
On-Premises Integration:
- For hybrid cloud environments, VPC endpoints allow secure communication between on-premises systems and AWS services.
  
  Image credits: Fabricio Mariani
Data Privacy for Lambda/Containers:
- If AWS Lambda functions or containerized applications (on ECS/EKS) need to access AWS services like SQS, SNS, or S3, VPC endpoints provide a private communication path.

How VPC Endpoints Work

Interface Endpoints:
- Create an Elastic Network Interface in your VPC, which acts as the entry point to the AWS service. Use endpoint-specific DNS names to route traffic to the service via the interface endpoint.
Gateway Endpoints:
- Add a route in your route table pointing to the endpoint for the target service.
- Traffic destined for the service is routed through the gateway.

Example Scenarios

Enterprise Applications:
- A financial organization needs to process sensitive customer data stored in S3. A VPC Gateway Endpoint ensures that traffic stays within the AWS network.
Multi-Account Access:
- A central VPC provides shared services (e.g., S3, DynamoDB) to multiple accounts using VPC endpoints, eliminating the need for internet gateways or NAT gateways.
SaaS Consumption:
- A SaaS provider offers services via AWS PrivateLink. Customers can create interface endpoints in their VPCs to privately access the SaaS application.

Benefits Recap

Private Connectivity: Traffic never leaves the AWS network.
Simplified Security: Reduced exposure to public threats.
Improved Performance: Lower latency and higher throughput.
Cost Savings: Minimized data transfer costs through NAT gateways.

By implementing VPC Endpoints, organizations can securely and efficiently connect their VPCs to essential AWS services and third-party applications, aligning with best practices for cloud security and performance optimization.