The connections between your apps and AWS services may need to remain within the AWS network due to security or regulatory reasons, ensuring that no malicious party can tamper with your important data. In this situation, VPC Endpoint can be used. However, there are two different VPC Endpoint kinds from which to select. How do you make the best decision? Does that need you to read through the extensive Amazon documentation of those services?
Fortunately, the decision is easy to make:
1) If the AWS service is either DynamoDB or S3, use Gateway Endpoint.
2) Use the Interface Endpoint for all other purposes.
As most AWS services may be connected privately through this type of endpoint, let's start with Interface VPC Endpoint.
In the diagram below, I have used the private network to link the EC2 instance to the SQS. I created an endpoint network interface in the same subnet as the EC2 instance and attach a security group with the appropriate access permissions to this endpoint networking interface to establish an interface endpoint. The service provider must approve the interface endpoint after it is created. In general, all endpoint requests will be immediately accepted by AWS services and this happens automatically.
Gateway endpoint is a little bit different. In the figure below, the gateway endpoint is created at the VPC level. I need to attach an endpoint policy to the gateway endpoint that allow access to the S3 service and also specify a route in the route table in subnet 10.18.0.0 so the EC2 instance can find a path to the S3 bucket.
In both scenarios, the communications between the service consumer and the service provider never get out of the AWS network hence your data remains secured.
Top comments (0)