DEV Community

Wakeup Flower
Wakeup Flower

Posted on

VPC endpoint explained

A VPC endpoint lets you privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink — without using the public internet or NAT Gateway.

There are two types of VPC endpoints:

  1. Interface Endpoints (powered by PrivateLink) → use ENIs (Elastic Network Interfaces).
  2. Gateway Endpoints → route traffic directly (for S3, DynamoDB).

1. Gateway VPC Endpoints (limited)

These work via route tables and currently only support:

Service Description
Amazon S3 Private access to S3 buckets without internet.
Amazon DynamoDB Private access to DynamoDB APIs without internet.

Example: You have an EC2 instance in a private subnet that uploads to S3 without requiring an internet gateway or NAT.


2. Interface VPC Endpoints

These create Elastic Network Interfaces (ENIs) with private IPs inside your VPC and can connect to many AWS services.
Supported services include (but not limited to):

Service Description
Amazon EC2 API EC2 instance management APIs.
Amazon EKS Access EKS API privately.
Amazon ECR (API & Docker) Pull/push container images privately.
AWS Systems Manager For managing EC2, Lambda, etc.
AWS Secrets Manager Securely retrieve secrets without internet.
AWS Key Management Service (KMS) Access KMS APIs privately.
CloudWatch Logs Send logs without public access.
CloudWatch Metrics Access metrics securely.
API Gateway Private APIs.
AWS CodeBuild / CodePipeline Access build/pipeline APIs privately.
AWS Lambda API Manage Lambda functions privately.
Amazon SNS Publish/subscribe messages privately.
Amazon SQS Queue access without internet.
AWS Service Catalog Access catalog APIs privately.
Amazon EventBridge Event bus APIs inside VPC.
Amazon SageMaker Access ML services without internet.
AWS CloudFormation Deploy stacks without internet.

Tip: AWS regularly expands this list — you can check the latest AWS VPC Endpoints supported services.


Example: How VPC Endpoints help

Without endpoints:

Private Subnet EC2 → NAT Gateway → Internet Gateway → AWS Service
Enter fullscreen mode Exit fullscreen mode

With endpoints:

Private Subnet EC2 → VPC Endpoint → AWS Service (no internet)
Enter fullscreen mode Exit fullscreen mode

Benefits:

  • No internet exposure.
  • Lower latency.
  • Reduced NAT Gateway bandwidth and cost.
  • Better security and compliance.

Top comments (0)