Overview
By default, AWS services are accessed via public URLs over the internet.
VPC Endpoints, powered by AWS PrivateLink, allow you to connect to AWS services over the AWS private network, avoiding public internet exposure.
AWS PrivateLink is a fully managed service that enables private connectivity between Virtual Private Clouds (VPCs), AWS services, and supported third-party SaaS applications over the AWS network, without exposing traffic to the public internet.
- Provide private connectivity from within your VPC.
- Remove the need for:
- Internet Gateway (IGW)
- NAT Gateway (NATGW)
- Highly available and horizontally scalable.
Troubleshooting Tips
- Verify DNS resolution in your VPC.
- Ensure route tables direct traffic to the VPC Endpoint.
Types of VPC Endpoints
1. Interface Endpoints (PrivateLink)
- Creates an Elastic Network Interface (ENI) with a private IP in your subnet.
- Entry point to the AWS service.
- Must be associated with a security group.
- Supports most AWS services.
- Pricing: Per hour + per GB processed.
2. Gateway Endpoints
- Adds a gateway target in your route table.
- No security groups required.
- Supports only:
- Amazon S3
- Amazon DynamoDB
- Free of charge.
Architecture Examples
- Interface Endpoint:
Private Subnet β ENI β AWS service (e.g., SNS) via PrivateLink.
- Gateway Endpoint:
Private Subnet β Route Table entry β S3 or DynamoDB.
Gateway or Interface Endpoint for S3?
Exam Tip
- Prefer Gateway Endpoint for S3 in most cases β itβs free and simpler.
When to use Interface Endpoint
- Required for S3 access from:
- On-premises (via VPN or Direct Connect)
- Another VPC
- Another region
Lambda in a VPC Accessing DynamoDB
- Public internet access: Requires NAT Gateway + IGW (costly and more complex).
- Preferred: VPC Gateway Endpoint for DynamoDB β free, secure, and no NAT/IGW needed.
Β
Additional Notes:
AWS PrivateLink supports only TCP-based traffic. It cannot be used to route or expose UDP-based services, making it unsuitable for the on-premises UDP workload.