Skip to content
Gallery
5. Amazon Virtual Private Cloud (VPC)
Amazon Virtual Private Cloud (VPC)
VPC Peering
AWS Privatelink
VPC Endpoints
Difference between VPC Peering, PrivateLink, and VPC Endpoints
AWS Managed VPN
AWS VPN CloudHub
AWS Direct Connect (DX)
VPC Flow Logs
Misc
More
Share
Explore

icon picker
VPC Endpoints

VPC Endpoints Overview
Purpose: Enable private connections between your VPC and supported AWS services without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect.
Types:
Interface Endpoints (Powered by AWS PrivateLink)
Gateway Endpoints

Interface Endpoints

Definition: An Elastic Network Interface (ENI) with a private IP address serving as an entry point for traffic destined to a supported service.
Usage:
Connect VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.
Secure access to services without using public IPs, avoiding Internet traversal.
Supports inter-region access, staying on the global AWS backbone.
AWS PrivateLink:
Allows private access to services hosted on AWS in a highly available and scalable manner.
Access services even if the endpoint resides in a different AWS region.
Traffic stays within AWS’s global backbone network, not traversing the public Internet.
Permissions:
By default, IAM users do not have permissions to work with endpoints.
Create IAM policies to grant permissions to create, modify, describe, and delete endpoints.
Supported Services: Long list of AWS services and AWS Marketplace services.
image.png

Gateway Endpoints

Definition: A gateway that serves as a target for a specified route in your route table, used for traffic destined to supported AWS services.
Supported Services:
Amazon S3
Amazon DynamoDB
EXAM TIP: Gateway Endpoints are exclusive to Amazon S3 and DynamoDB.
image.png

Key Points
Interface Endpoints (PrivateLink):
Use an ENI with a private IP.
Private access to services within and across regions.
No public IPs required.
Traffic stays within AWS backbone.
Gateway Endpoints:
Act as a target in your route table.
Only for Amazon S3 and DynamoDB.

Difference
Column 1
Interface Endpoint
Gateway Endpoint
1
What
Elastic Network Interface with a private IP
A gateway that is a target for a specific route
2
How
Uses DNS entries to redirect traffic
Use prefix lists in the route table to redirect traffic
3
Which Services
A large amount of AWS services, for full list follow this
link
Amazon S3, DynamoDB
4
Security
Security Groups
VPC Endpoint Policies
There are no rows in this table

image.png

Exam Tips:
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (using AWS PrivateLink).
- A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network.
- Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region using VPC peering or AWS Transit Gateway.

AWS PrivateLink for Amazon S3 - Amazon Simple Storage Service
Learn how to use Amazon Simple Storage Service (Amazon S3) to store and retrieve any amount of data from anywhere. This guide explains Amazon S3 concepts, such as buckets, objects, and related configurations, and includes code examples for common operations.
docs.aws.amazon.com

AWS PrivateLink for Amazon S3

With AWS PrivateLink for Amazon S3, you can provision interface VPC endpoints (interface endpoints) in your virtual private cloud (VPC). These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS Region over VPC peering.
Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests to Amazon S3 over interface endpoints stay on the Amazon network. You can also access interface endpoints in your VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (AWS VPN). For more information about how to connect your VPC with your on-premises network, see the
AWS Direct Connect User Guide
and the
AWS Site-to-Site VPN User Guide
.

difference between gateway and interface endpoint for S3
Gateway endpoints for Amazon S3
Interface endpoints for Amazon S3
1
In both cases, your network traffic remains on the AWS network.
In both cases, your network traffic remains on the AWS network.
2
Use Amazon S3 public IP addresses
Use private IP addresses from your VPC to access Amazon S3
3
Use the same Amazon S3 DNS names
Require endpoint-specific Amazon S3 DNS names
4
Do not allow access from on premises
Allow access from on premises
5
Do not allow access from another AWS Region
Allow access from a VPC in another AWS Region by using VPC peering or AWS Transit Gateway
6
Not billed
Billed
There are no rows in this table

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.