What is a VPC Endpoint in AWS?
A VPC Endpoint is a service that allows you to privately connect your Virtual Private Cloud (VPC) to supported AWS services without using:
- Internet Gateway
- NAT Gateway
- VPN
- AWS Direct Connect
This means your traffic never leaves the AWS network, which:
- Enhances security
- Reduces latency
- Simplifies architecture
VPC endpoints are powered by AWS PrivateLink (for interface endpoints), enabling secure and private communication between services.
How VPC Endpoint Works
Explanation
- Your resource (e.g., Amazon EC2) sits inside a VPC
- Instead of routing traffic through the internet, it uses a VPC endpoint
- Traffic flows securely within AWS to services like Amazon S3
Real Interview Scenario
While preparing for the AWS Solutions Architect exam, I came across this question:
An application runs on EC2 in a VPC and needs to access logs stored in S3 without using the internet. What is the best solution?
Correct Answer: Create a Gateway VPC Endpoint for S3
Why is this the Correct Answer?
To understand this, we need to look at the two main types of VPC endpoints:
Types of VPC Endpoints
1. Gateway Endpoints
Gateway endpoints are used specifically for:
- Amazon S3
- Amazon DynamoDB
Key Characteristics:
- Works via route tables
- Traffic is routed internally within AWS
- Does NOT use PrivateLink
- No additional cost (only standard data transfer charges)
Why use it here?
Since the requirement is to access S3 privately, Gateway Endpoint is the most efficient and cost-effective solution.
Interface Endpoints
Interface endpoints are powered by AWS PrivateLink.
How it works:
- AWS creates Elastic Network Interfaces (ENIs) in your subnet
- Each ENI has a private IP address
- These act as entry points to AWS services
Key Characteristics:
- Supports many AWS services (not just S3/DynamoDB)
- Uses PrivateLink
- Incurs additional cost
- Works without internet access
Why Other Options Are Incorrect
- CloudWatch Logs approach
→ Changes the architecture unnecessarily - IAM Role (Instance Profile)
→ Controls permissions, not network connectivity - API Gateway + PrivateLink
→ Over-engineered and not required for S3 access
Why Use VPC Endpoints?
1. Enhanced Security
Traffic remains inside AWS—no exposure to the public internet.
2. Simplified Network Architecture
No need for:
- NAT Gateway
- Internet Gateway
- VPN
3. Improved Compliance
Helps meet regulatory requirements by keeping data private.
4. Reduced Cost
Avoid NAT Gateway charges and reduce data transfer costs.
| Feature | Gateway Endpoint | Interface Endpoint |
|---|---|---|
| Services | S3, DynamoDB | Many AWS services |
| Uses PrivateLink | ❌ No | ✅ Yes |
| Cost | Free | Charged |
| Mechanism | Route Table | ENI (Private IP) |
Conclusion
VPC Endpoints are a critical concept in AWS networking. They allow you to:
- Build secure architectures
- Avoid unnecessary internet exposure
- Optimize cost and performance
For S3 access specifically: Always prefer Gateway Endpoints unless there’s a special requirement