A VPC endpoint lets you privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink — without using the public internet or NAT Gateway.
There are two types of VPC endpoints:
- Interface Endpoints (powered by PrivateLink) → use ENIs (Elastic Network Interfaces).
- Gateway Endpoints → route traffic directly (for S3, DynamoDB).
1. Gateway VPC Endpoints (limited)
These work via route tables and currently only support:
Service | Description |
---|---|
Amazon S3 | Private access to S3 buckets without internet. |
Amazon DynamoDB | Private access to DynamoDB APIs without internet. |
Example: You have an EC2 instance in a private subnet that uploads to S3 without requiring an internet gateway or NAT.
2. Interface VPC Endpoints
These create Elastic Network Interfaces (ENIs) with private IPs inside your VPC and can connect to many AWS services.
Supported services include (but not limited to):
Service | Description |
---|---|
Amazon EC2 API | EC2 instance management APIs. |
Amazon EKS | Access EKS API privately. |
Amazon ECR (API & Docker) | Pull/push container images privately. |
AWS Systems Manager | For managing EC2, Lambda, etc. |
AWS Secrets Manager | Securely retrieve secrets without internet. |
AWS Key Management Service (KMS) | Access KMS APIs privately. |
CloudWatch Logs | Send logs without public access. |
CloudWatch Metrics | Access metrics securely. |
API Gateway | Private APIs. |
AWS CodeBuild / CodePipeline | Access build/pipeline APIs privately. |
AWS Lambda API | Manage Lambda functions privately. |
Amazon SNS | Publish/subscribe messages privately. |
Amazon SQS | Queue access without internet. |
AWS Service Catalog | Access catalog APIs privately. |
Amazon EventBridge | Event bus APIs inside VPC. |
Amazon SageMaker | Access ML services without internet. |
AWS CloudFormation | Deploy stacks without internet. |
Tip: AWS regularly expands this list — you can check the latest AWS VPC Endpoints supported services.
Example: How VPC Endpoints help
Without endpoints:
Private Subnet EC2 → NAT Gateway → Internet Gateway → AWS Service
With endpoints:
Private Subnet EC2 → VPC Endpoint → AWS Service (no internet)
Benefits:
- No internet exposure.
- Lower latency.
- Reduced NAT Gateway bandwidth and cost.
- Better security and compliance.
Top comments (0)