Interface Endpoints & Gateway Endpoints
Table of contents
Amazon VPC (Virtual Private Cloud) supports two types of endpoints for connecting to AWS services privately: Interface VPC Endpoints and Gateway VPC Endpoints.
These two endpoint types serve different purposes and are used for connecting to different AWS services
INTERFACE VPC ENDPOINTS
Interface VPC Endpoints are used to connect to AWS services that are powered by AWS PrivateLink, such as Amazon S3,ec2 , cloudwatch logs , ECR
You can also create Interface VPC Endpoints for certain AWS Marketplace partner services that support PrivateLink.
Interface VPC Endpoints use Elastic Network Interfaces (ENIs) within your VPC to establish private connections to the AWS service's endpoint. Each ENI is assigned a private IP address within your VPC.
Interface VPC Endpoints are subject to the security groups and network ACLs of your VPC, allowing you to apply network security controls to the traffic going through these endpoints.
You can configure the routing and security for each individual Interface VPC Endpoint separately.
GATEWAY VPC ENDPOINTS
Gateway VPC Endpoints are used specifically for connecting to Amazon S3 and Amazon DynamoDB over a private connection.
Gateway VPC Endpoints are associated with the route table of your VPC. This means that any traffic destined for the specified AWS service is automatically routed through the endpoint.
Gateway VPC Endpoints do not use security groups or network ACLs. They rely solely on the VPC's route table for routing traffic to the service.
Gateway VPC Endpoints route traffic directly to the specified AWS service without the need for public internet access, making them ideal for Amazon S3 and DynamoDB.
SUMMARY
In summary, Interface VPC Endpoints are used for a broader range of AWS services and provide more granular control over routing and security.
On the other hand, Gateway VPC Endpoints are specific to Amazon S3 and DynamoDB and are simpler to set up as they directly connect your VPC to these services via the VPC's route table.
Summary
Feature/Type | VPC Endpoint | VPC Endpoint Service (PrivateLink) | Gateway Endpoints | Interface Endpoints |
Supported Services | Many AWS services | Your own services | S3, DynamoDB | Many AWS services |
Implementation | General Term | Exposing services | Uses Route Tables | Uses ENIs |
Configuration | Route Tables or ENIs | Requires NLB | Update Route Tables | Create ENIs |
Usage | Access AWS Services | Allow others to access your service | Access S3/DynamoDB privately | Access AWS services privately |
Control | Security Groups, Policies | Accept/Reject Connections, NLB Policies | Route Table Configuration | Security Groups, Policies |
Example Use Case | Connect to S3 privately | Microservices across VPCs | Access S3 without NAT Gateway | Access SNS from VPC |