Interface Endpoints & Gateway Endpoints


3 min read

Table of contents

Amazon VPC (Virtual Private Cloud) supports two types of endpoints for connecting to AWS services privately: Interface VPC Endpoints and Gateway VPC Endpoints.

These two endpoint types serve different purposes and are used for connecting to different AWS services


Interface VPC Endpoints are used to connect to AWS services that are powered by AWS PrivateLink, such as Amazon S3,ec2 , cloudwatch logs , ECR

You can also create Interface VPC Endpoints for certain AWS Marketplace partner services that support PrivateLink.

Interface VPC Endpoints use Elastic Network Interfaces (ENIs) within your VPC to establish private connections to the AWS service's endpoint. Each ENI is assigned a private IP address within your VPC.

Interface VPC Endpoints are subject to the security groups and network ACLs of your VPC, allowing you to apply network security controls to the traffic going through these endpoints.

You can configure the routing and security for each individual Interface VPC Endpoint separately.


Gateway VPC Endpoints are used specifically for connecting to Amazon S3 and Amazon DynamoDB over a private connection.

Gateway VPC Endpoints are associated with the route table of your VPC. This means that any traffic destined for the specified AWS service is automatically routed through the endpoint.

Gateway VPC Endpoints do not use security groups or network ACLs. They rely solely on the VPC's route table for routing traffic to the service.

Gateway VPC Endpoints route traffic directly to the specified AWS service without the need for public internet access, making them ideal for Amazon S3 and DynamoDB.


In summary, Interface VPC Endpoints are used for a broader range of AWS services and provide more granular control over routing and security.

On the other hand, Gateway VPC Endpoints are specific to Amazon S3 and DynamoDB and are simpler to set up as they directly connect your VPC to these services via the VPC's route table.


Feature/TypeVPC EndpointVPC Endpoint Service (PrivateLink)Gateway EndpointsInterface Endpoints
Supported ServicesMany AWS servicesYour own servicesS3, DynamoDBMany AWS services
ImplementationGeneral TermExposing servicesUses Route TablesUses ENIs
ConfigurationRoute Tables or ENIsRequires NLBUpdate Route TablesCreate ENIs
UsageAccess AWS ServicesAllow others to access your serviceAccess S3/DynamoDB privatelyAccess AWS services privately
ControlSecurity Groups, PoliciesAccept/Reject Connections, NLB PoliciesRoute Table ConfigurationSecurity Groups, Policies
Example Use CaseConnect to S3 privatelyMicroservices across VPCsAccess S3 without NAT GatewayAccess SNS from VPC