- Endpoints allow you to connect to AWS Services using a private network instead of the public www network
- They scale horizontally and are redundant
- No more IGW, NAT, etc… to access AWS Services
- VPC Endpoint Gateway (S3 & DynamoDB)
- VPC Endpoint Interface (all except DynamoDB)
- In case of issues:
- Check DNS Setting Resolution in your VPC
- Check Route Tables
- Only works for S3 and DynamoDB, must create one gateway per VPC
- Must update route tables entries (no security groups!)
- Gateway is defined at the VPC level
- DNS resolution must be enabled in the VPC
- The same public hostname for S3 can be used
- Gateway endpoint cannot be extended out of a VPC (VPN, DX, TGW, peering)
- Provision an ENI that will have a private endpoint interface hostname
- Leverage Security Groups for security
- Private DNS (setting when you create the endpoint)
- The public hostname of a service will resolve to the private Endpoint Interface hostname
- VPC Setting: “Enable DNS hostnames” and “Enable DNS Support” must be 'true’
- Example for Athena:
- vpce-0b7d2995e9dfe5418-mwrths3x.athena.us-east-1.vpce.amazonaws.com
- vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1a.athena.us-east-1.vpce.amazonaws.com
- vpce-0b7d2995e9dfe5418-mwrths3x-us-east-1b.athena.us-east-1.vpce.amazonaws.com
- athena.us-east-1.amazonaws.com (private DNS name)
- Interface can be accessed from Direct Connect and Site-to-Site VPN
- The traffice will be routed through VPC ENI to reach the resources
- Controls which AWS principals (AWS accounts, IAM users, IAM Roles) can use the VPC Endpoint to access AWS services
- Can be attached to both Interface Endpoint and Gateway Endpoint
- Can restrict specific API calls on specific resources
- Doesn’t override or replace Identity-based Policies or service-specific policies (e.g., S3 bucket policy)
- Note: can use aws:PrincipalOrgId to restrict access only within the Organization
- VPC Endpoint Policy + Identity-based Policy
- VPC Endpoint Policy + Resource-based Policy + IAM Role
- If you did not use VPC Interface then you should setup NAT Gateway and internet gateways to access the secrets manager which is complicated
- Connect to EC2 instances in private subnets, without Internet access
- Note: VPC endpoint policy must allow access to those S3 buckets:
- arn:aws:s3:::patch-baseline-snapshot-region/*
- arn:aws:s3:::aws-ssm-region/*
- Any other s3 buckets required by SSM
- Note: for S3 Gateway Endpoint, update route tables
- Private REST APIs can only be accessed using VPC Interface Endpoint
- VPC Endpoint Policies can be used together with API Gateway resource policies
- Restrict access to your private APIs from VPC and VPC Endpoints using resource policies (aws:SourceVpc and aws:SourceVpce)
| Interface Endpoint | Gateway endpoint | |
|---|---|---|
| What | Elastic Network Interface with a Private IP | A gateway that is a target for a specific route |
| How | Uses DNS entries to redirect traffic | Uses prefix lists in the route table to redirect traffic |
| Which services | API Gateway, CloudFormation, CloudWatch etc. | Amazon S3, DynamoDB |
| Security | Security Groups | VPC Endpoint Policies |
- Amazon API Gateway
- Amazon Athena
- AWS Key Management Service
- AWS CloudHSM
- Amazon CloudWatch
- Amazon CloudWatch Events
- Amazon CloudWatch Logs
- AWS Config
- Amazon EventBridge
- AWS Glue
- AWS Lambda
- Amazon S3
- AWS Secrets Manager
- Amazon SNS
- Amazon SQS
- AWS Step Functions
- AWS Systems Manager
- Full list here