Definition

An AWS VPC endpoint is a way to privately connect your VPC to AWS services without using the Internet

VPC endpoints are used because it is more security, reliability, and performance by keeping traffic on the AWS private network instead of routing through the Internet

Types of VPC endpoints

1. Gateway Endpoints

Gateway Endpoints provide connectivity to Amazon S3 and Amazon DynamoDB

They are implemented by adding routes to your VPC route tables

Key characteristics are:

• no hourly cost

• scalable

• limited to S3 and DynamoDB

2. Interface Endpoints (AWS PrivateLink)

Interface Endpoints enable private access to for other AWS services as well as your own or third-party services

They work by creating an Elastic Network Interface (ENI) with a private IP address in your (private) subnet

Key characteristics are:

• flexibility; supports other AWS services such as Secrets Manager, CloudWatch, etc

• has hourly and data processing costs

Trade-offs

When to use them?

• No Internet Gateway or NAT Gateway

• Need for private access to AWS services

• Strong security or compliance requirements

When not to use them?

• Service does not support VPC endpoints

• Need to access public services

• Cost since Interface endpoints incur hourly charges