AWS provides several ways to keep your workloads connected without exposing them to the public internet. One of the most useful tools for this is the VPC Endpoint, which enables private access from your VPC to AWS services over the AWS internal network. There are two main types: Gateway Endpoints and Interface Endpoints. Each endpoint type serves a different purpose, so choosing the right one matters for security, performance, and cost.
What VPC Endpoints Actually Do
A VPC Endpoint creates a private path so your resources can reach specific AWS services without requiring:
- Public IPs
- Internet Gateways
- NAT Gateways
- Direct internet routing
Both endpoint types enable private connectivity, but they operate differently inside the VPC.
Gateway Endpoints (for S3 and DynamoDB)
Gateway Endpoints are the simpler option. They work by adding routes to your route tables so that traffic to S3 or DynamoDB stays within AWS.
Key characteristics
- Attached to route tables — not subnets or resources
- No hourly cost
- Supports only S3 and DynamoDB
- Scales automatically with no bandwidth limits
- Works at the subnet level through routing
This makes Gateway Endpoints ideal for workloads that frequently interact with S3 or DynamoDB and need a predictable, low-cost way to stay private.
Example use case
A private application uploading logs to S3 can use a Gateway Endpoint to avoid NAT Gateway charges and keep all traffic on the internal AWS network.
Interface Endpoints (AWS PrivateLink)
Interface Endpoints work differently. Instead of modifying routes, they create Elastic Network Interfaces (ENIs) in your subnets. These ENIs act as private entry points for AWS services using PrivateLink.
Important traits
- Creates ENIs with private IP addresses
- Supports many AWS services (SSM, Secrets Manager, ECR, KMS, CloudWatch, etc.)
- Charges per hour and per GB processed
- Uses Security Groups for traffic filtering
- Provides fine-grained, resource-level control
This makes Interface Endpoints ideal when you need controlled access to a wide range of AWS services.
Example use case
An EC2 instance retrieving secrets from AWS Secrets Manager through an Interface Endpoint, with Security Groups enforcing access restrictions.
How They Work Together
Both endpoint types enable private access, but through different mechanisms:
- Gateway Endpoints use route tables to redirect S3/DynamoDB traffic.
- Interface Endpoints expose AWS services as private IPs through ENIs.
In practice:
- Use Gateway Endpoints for large, cost-sensitive workloads that rely heavily on S3 or DynamoDB.
- Use Interface Endpoints when you need granular control or must access services beyond S3 and DynamoDB.
Choosing the Right Type
Use Gateway Endpoints when:
- You only need S3 or DynamoDB
- You want zero hourly cost
- You need high throughput
- You prefer subnet-wide behavior
Use Interface Endpoints when:
- You need access to services like SSM, ECR, KMS, CloudWatch, or Secrets Manager
- You want Security Group filtering
- You need strict network isolation or compliance
- You use PrivateLink for cross-VPC or third-party connectivity
Practical Examples
Private subnet accessing S3
- Use Gateway Endpoint
- Result: no internet exposure, no NAT cost
EC2 accessing Secrets Manager
- Use Interface Endpoint
- Result: controlled access through Security Groups
Microservices across VPCs
- Use Interface Endpoint + PrivateLink
- Result: no internet or VPC peering required
Fully isolated environment with no internet
- Use Gateway Endpoint for S3
- Result: workloads remain isolated but functional
Operational Notes
Gateway Endpoints
- Very little maintenance
- No Security Groups to configure
- Easy to troubleshoot
- Ideal for high-volume S3/DynamoDB traffic
Interface Endpoints
- Requires correct Security Group configuration
- Adds cost per AZ and per GB
- DNS overrides may affect applications
- Creates multiple ENIs, increasing resource management
Tips for Working with VPC Endpoints
- Use Gateway Endpoints whenever possible for S3 and DynamoDB
- Keep SG rules simple for Interface Endpoints
- Monitor the cost of multiple Interface Endpoints
- Enable Private DNS for easier service access
- Use clear naming conventions for all endpoints
Conclusion
Gateway Endpoints and Interface Endpoints both enable private access to AWS services, but they operate differently. Gateway Endpoints offer a simple, free, route-based option for S3 and DynamoDB, while Interface Endpoints provide ENI-based, security-controlled access to a wide range of AWS services.
Top comments (0)