AWS Service Endpoints: Architecting Secure Private Integrations
Using service endpoints for service integrations
AWS Service Endpoints: Architecting Secure Private Integrations
This guide covers the critical networking strategies for connecting VPC resources to AWS services and external SaaS providers using VPC Endpoints, a core requirement for the AWS SAP-C02 exam.
Learning Objectives
After studying this guide, you should be able to:
- Distinguish between the three types of VPC endpoints: Interface, Gateway, and GWLB.
- Design secure connectivity patterns that avoid the public internet.
- Implement endpoint policies to enforce the principle of least privilege.
- Architect hybrid connectivity solutions using PrivateLink for on-premises access.
Key Terms & Glossary
- AWS PrivateLink: A technology that provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.
- ENI (Elastic Network Interface): A logical networking component in a VPC that represents a virtual network card.
- Service Provider: The owner of the service being accessed (e.g., AWS or a 3rd party SaaS).
- Service Consumer: The VPC or on-premises environment initiating the request.
The "Big Idea"
In a traditional architecture, resources in a private subnet require a NAT Gateway and Internet Gateway to reach AWS public services (like S3 or DynamoDB). VPC Endpoints flip this paradigm by bringing the service into your VPC. This enhances security by keeping traffic within the AWS global network backbone, reduces data transfer costs, and simplifies compliance by ensuring data never touches the public internet.
Formula / Concept Box
| Endpoint Type | Powered By | Placement | Routing Mechanism |
|---|---|---|---|
| Interface | PrivateLink | ENI in Subnet | DNS (Private IP) |
| Gateway | VPC Feature | VPC-wide | Route Table Entry (Prefix List) |
| GWLB | PrivateLink | ENI in Subnet | Route Table (Next Hop) |
Hierarchical Outline
- VPC Endpoints Overview
- Virtual devices that scale horizontally.
- No Public IP, IGW, or VPG required.
- Interface Endpoints
- Uses Elastic Network Interfaces (ENI) with private IPs.
- Supports Security Groups for network-level access control.
- Supports Endpoint Policies (IAM resource-based).
- Gateway Endpoints
- Specifically for Amazon S3 and DynamoDB.
- No cost for the endpoint itself.
- Uses Prefix Lists in Route Tables.
- Gateway Load Balancer (GWLB) Endpoints
- Used for inline traffic inspection (security appliances).
- Directs traffic through a fleet of firewalls or IDS/IPS.
Visual Anchors
Traffic Flow Comparison
Interface Endpoint Architecture
Definition-Example Pairs
- Interface Endpoint: An entry point for traffic targeting a supported AWS service.
- Example: Creating an interface endpoint for Kinesis so your EC2 instances can ingest data without an Internet Gateway.
- Gateway Endpoint: A target in a route table for traffic destined for S3 or DynamoDB.
- Example: Adding a route for
pl-63a5400a(S3 Prefix List) pointing tovpce-1a2b3c4dto allow private S3 access.
- Example: Adding a route for
- Endpoint Policy: An IAM policy attached to a VPC endpoint to control which principals can use it.
- Example: A policy on an S3 Interface Endpoint that only allows
s3:GetObjectactions on a specific bucket.
- Example: A policy on an S3 Interface Endpoint that only allows
Worked Examples
Scenario: Secure Hybrid Access to S3
Goal: An on-premises application needs to upload files to an S3 bucket privately over Direct Connect.
- The Problem: Gateway Endpoints for S3 cannot be reached from on-premises via Direct Connect/VPN.
- The Solution: Use an Interface Endpoint for S3.
- Step-by-Step:
- Step 1: Create an S3 Interface Endpoint in the VPC.
- Step 2: Configure the on-premises DNS to resolve S3 DNS names to the private IP of the Interface Endpoint ENIs.
- Step 3: Update the S3 Bucket Policy to only allow traffic coming from that specific
aws:SourceVpce.
Checkpoint Questions
- Which endpoint type requires a route table modification to function?
- True or False: Interface endpoints support Security Groups to control inbound traffic to the ENI.
- How many Gateway Endpoints can you have for DynamoDB in a single VPC?
- Can you access a Gateway Endpoint via a VPC Peering connection?
[!TIP] Answers: 1. Gateway and GWLB Endpoints. 2. True. 3. One per service per VPC (though you can have multiple endpoints for different route tables). 4. No, Gateway Endpoints do not support transitive routing; use Interface Endpoints if transit is required.
Muddy Points & Cross-Refs
- DNS Resolution: One of the biggest points of confusion is "Enable Private DNS." If enabled, AWS associates the public service DNS (e.g.,
ec2.us-east-1.amazonaws.com) with the private IP of your Interface Endpoint. This makes the transition transparent to your code. - Cross-Region Access: Gateway endpoints are restricted to the same region. Interface endpoints can be reached cross-region via VPC Peering or Transit Gateway.
Comparison Tables
| Feature | Interface Endpoint | Gateway Endpoint |
|---|---|---|
| Cost | Hourly rate + Data processed | Free |
| Services Supported | 200+ (SQS, SNS, STS, etc.) | S3, DynamoDB ONLY |
| Access from On-Prem | Yes (Direct Connect/VPN) | No |
| Security Mechanism | Security Groups & Endpoint Policies | Endpoint Policies only |
| Implementation | ENI in specific subnets | Route Table entry |