AWS Service Endpoints: Architecting Private Integrations

This guide covers the critical skills required for the AWS Solutions Architect - Professional (SAP-C02) exam regarding Task 2.3: Specifying service endpoints for service integrations. You will learn how to design secure, reliable, and cost-effective communication paths between VPC resources and AWS services without traversing the public internet.

Learning Objectives

By the end of this module, you will be able to:

• Differentiate between Interface, Gateway, and Gateway Load Balancer (GWLB) endpoints.
• Configure routing and security controls (Endpoint Policies and Security Groups) for service integrations.
• Evaluate the cost and architectural implications of different endpoint types.
• Design hybrid connectivity scenarios allowing on-premises resources to access AWS services privately.

Key Terms & Glossary

• AWS PrivateLink: A high-availability technology that provides private connectivity between VPCs, AWS services, and on-premises applications using the Amazon network.
• VPC Endpoint: A virtual device that allows you to privately connect your VPC to supported AWS services and VPC endpoint services.
• Elastic Network Interface (ENI): A logical networking component in a VPC that represents a virtual network card.
• Endpoint Policy: An IAM resource-based policy attached to a VPC endpoint to control which AWS principals can use the endpoint to access the service.

The "Big Idea"

In high-security or regulated environments, traffic must never touch the public internet. Service Endpoints are the "secret tunnels" of AWS networking. Instead of sending traffic out through an Internet Gateway (IGW) to reach an AWS service's public URL, endpoints keep traffic entirely within the AWS global backbone, reducing latency and eliminating exposure to external threats.

Formula / Concept Box

Hierarchical Outline

1. VPC Endpoint Types
   • Interface Endpoints (PrivateLink)
     • Uses an ENI with a private IP from the subnet.
     • Supports Security Groups to restrict source traffic.
     • Accessible via Direct Connect (DX) or Site-to-Site VPN.
   • Gateway Endpoints
     • Used exclusively for Amazon S3 and DynamoDB.
     • Requires an entry in the VPC Route Table (Prefix List).
     • Does not use ENIs or Private IPs directly.
   • Gateway Load Balancer (GWLB) Endpoints
     • Used for inline traffic inspection.
     • Connects to a fleet of virtual security appliances.
2. Security and Governance
   • Endpoint Policies: JSON policies to restrict actions (e.g., allow s3:GetObject only for a specific bucket).
   • Least Privilege: Using IAM roles combined with endpoint policies.

Visual Anchors

Traffic Flow Logic

Network Architecture

\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, align=center, fill=blue!5}] \node (vpc) [minimum width=8cm, minimum height=4cm, label=above:VPC] {}; \node (subnet) [minimum width=3cm, minimum height=2cm, right=of vpc.west, xshift=1cm, fill=green!5] {Private Subnet$EC2 Instance)}; \node (eni) [right=of subnet, fill=orange!10] {Interface\Endpoint (ENI)}; \node (s3) [right=of eni, xshift=1cm, fill=yellow!10] {AWS Service$e.g., Kinesis)};

\end{tikzpicture}

Definition-Example Pairs

• Interface Endpoint: An entry point for traffic targeting an AWS service via an ENI.
  • Example: Creating an interface endpoint for Amazon SNS so that EC2 instances in a private subnet can publish messages without needing a NAT Gateway.
• Gateway Endpoint: A target for a specific route in your route table.
  • Example: Adding a route for pl-63a5400a (Amazon S3) to a private route table, allowing high-speed, no-cost data transfer to S3 buckets.
• Endpoint Policy: A resource-based policy to control access.
  • Example: Attaching a policy to an S3 Gateway Endpoint that denies all requests except those originating from a specific AWS Organization ID.

Worked Examples

Scenario: Restricting S3 Access to a Specific Bucket

Goal: An architecture requires EC2 instances to upload logs to a specific bucket my-app-logs, but prohibits them from accessing any other S3 buckets (to prevent data exfiltration).

1. Create Gateway Endpoint: Provision a Gateway Endpoint for S3 in the VPC.
2. Modify Route Table: Associate the endpoint with the subnet's route table.
3. Apply Policy: Attach the following policy to the endpoint:

Checkpoint Questions

1. Which endpoint type should you choose for Amazon DynamoDB if your primary concern is minimizing cost? (Answer: Gateway Endpoint).
2. True or False: Interface endpoints require an Internet Gateway to function. (Answer: False).
3. How can you ensure that only specific IAM roles are allowed to use a VPC endpoint? (Answer: Use an Endpoint Policy).
4. Which component is required to allow on-premises users to access an Interface Endpoint over a VPN? (Answer: The Interface Endpoint's Private IP and DNS resolution).

Muddy Points & Cross-Refs

[!IMPORTANT] Interface vs. Gateway for S3: S3 is unique because it supports both types.

• Use Gateway for internal VPC traffic (it is free and simpler).
• Use Interface (PrivateLink) if you need to access S3 from on-premises via DX/VPN or from a different Region via VPC Peering.

Cross-References:

• Refer to Route 53 Resolver (Inbound/Outbound Endpoints) for complex hybrid DNS scenarios.
• See Security Groups documentation for controlling traffic at the ENI level of an Interface Endpoint.

Comparison Tables

Comparison: Service Accessibility