Wednesday, November 5, 2025

Types of AWS VPC Endpoints | Overview.

An Overview of AWS VPC Endpoints Types.

Focus:

  •        VPC Endpoints types,
  •       VPC Endpoints architectural behaviors,
  •        VPC Endpoints use cases,
  •        VPC Endpoints key differences.

Breakdown:

  •        Concept Recap,
  •        Gateway Endpoints,
  •        Interface Endpoints (AWS PrivateLink),
  •        Gateway Load Balancer Endpoints (GWLBe),
  •        Summary Table,
  •        Architecture Visualization,
  •        Key Design Considerations.

Concept Recap

  •        A VPC Endpoint allows twtech resources within a private VPC to connect to AWS services without using the public internet.
  •        This improves security, latency, and compliance by keeping traffic within the AWS network backbone.
  •        There are two main types of endpoints Gateway and Interfaceplus a variant for PrivateLink-based services.

 1. Gateway Endpoints

 Overview

  • A Gateway Endpoint is a target for a route in the VPC route table, directing traffic to supported AWS services without using an Internet Gateway, NAT, or VPN.

 Supported Services

  • Amazon S3
  • DynamoDB

 How Gateway Endpoint Works

  1. twtech creates a Gateway Endpoint for S3 or DynamoDB.
  2. AWS adds an entry in twtech route table for the target service prefix list (e.g., pl-xxxx).
  3. Traffic from private subnets to the service goes directly through the AWS backbone.

 Characteristics

Feature

Description

Type

Gateway

Connectivity

Route table entry

Used for

S3, DynamoDB

IP Addressing

No IPs assigned

Billing

No hourly charge

Scaling

Automatically scaled by AWS

Security

Policy-based (like bucket/VPC endpoint policies)

 Common Use Case

  •        Private EC2 instances accessing S3 buckets for application data without going over the internet.

 2. Interface Endpoints (AWS PrivateLink)

 Overview

  •        An Interface Endpoint uses Elastic Network Interfaces (ENIs) with private IPs in twtech subnets.
  •        It’s powered by AWS PrivateLink, enabling private connectivity to AWS services, other AWS accounts, or AWS Marketplace partner services.

 Supported Services

  • Most AWS services (SSM, Secrets Manager, ECR API, CloudWatch, etc.)
  • Third-party services (via AWS Marketplace)
  • Custom services in twtech own VPC (PrivateLink)

 How Interface Endpoint Works

  1. AWS creates an ENI in twtech subnet for the endpoint.
  2. When twtech-app calls the service endpoint (e.g., ssm.us-east-2.amazonaws.com), DNS resolves to the private IP of that ENI.
  3. Traffic stays inside AWS’s internal network.

 Characteristics

Feature

Description

Type

Interface

Connectivity

ENIs with private IPs

Used for

Most AWS services, PrivateLink

IP Addressing

Private IPs assigned in subnets

Billing

Hourly + data processing cost

Scaling

Managed automatically

Security

Controlled with endpoint policies and security groups

 Common Use Case

  •        Allowing EC2 instances in private subnets to securely reach AWS Systems Manager, Secrets Manager, or ECR API.

 3. Gateway Load Balancer Endpoints (GWLBe)

 Overview

A Gateway Load Balancer Endpoint is a special type of endpoint that enables traffic inspection and security appliances (firewalls, IDS/IPS) to be deployed transparently across VPCs.

 Supported Services

  • Gateway Load Balancer (GWLB)

 How Gateway Load Balancer Endpoint Works

  1. Acts as an entry point for traffic that needs to be inspected.
  2. Traffic is tunneled using the GENEVE protocol between the endpoint and the GWLB.
  3. The GWLB distributes traffic across security appliance instances.

 Characteristics

Feature

Description

Type

Gateway Load Balancer Endpoint

Connectivity

GENEVE encapsulation

Used for

Security/inspection traffic

IP Addressing

Not user-managed

Billing

Hourly + data processing cost

Security

Policy and security group based

 Common Use Case

  •        Traffic redirection to third-party firewalls (like Palo Alto, Fortinet, Check Point) in centralized inspection VPCs.

 Summary Table

Type

Description

Example Services

Connection Method

Billing

Security Control

Gateway Endpoint

Route-table based endpoint for AWS core data services

S3, DynamoDB

Route Table

Free

Endpoint Policy

Interface Endpoint

Private ENIs for AWS services and PrivateLink

SSM, Secrets Manager, CloudWatch, ECR API

ENI + DNS

$$

Security Group + Policy

Gateway Load Balancer Endpoint

Used with GWLB for traffic inspection

GWLB

GENEVE Tunnel

$$

Endpoint Policy

 Architecture Visualization

 Key Design Considerations

  • DNS Resolution must be enabled (enableDnsSupport, enableDnsHostnames) for Interface Endpoints.
  • Endpoint Policies control allowed operations.
  • Security Groups apply to Interface Endpoints (not Gateway).
  • Cross-account access possible with PrivateLink (Interface endpoints).
  • Cost optimization: prefer Gateway Endpoints for S3/DynamoDB when possible (free).

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...