Types of AWS VPC Endpoints | Overview.

Types of AWS VPC Endpoints - Overview

Scope:

• Concept Recap,
• Gateway Endpoints Overview,
• Supported Services for Gateway Endpoints,
• How Gateway Endpoint Works,
• Characteristics of Gateway Endpoint (Features & Description),
• Common Use Case of Gateway Endpoint,
• Interface Endpoints (AWS PrivateLink) Overview,
• Supported Services for Interface Endpoints,
• How Interface Endpoint Works,
• Characteristics of Interface Endpoint (Features & Description),
• Common Use Case of Interface Endpoint,
• Gateway Load Balancer Endpoints (GWLBe) Overview, 
• Supported Services for Gateway Load Balancer Endpoints (GWLBe),
• How Gateway Load Balancer Endpoint (GWLBe) Works,
• Characteristics of Gateway Load Balancer Endpoint (GWLBe) & Description,
• Common Use Case of Gateway Load Balancer Endpoint (GWLBe),
• Summary Table for Endpoint Types (Description, Sample Services. Connection Methods, Billing & Security Control),
• Architecture Visualization,
• Key Design Considerations.

Concept Recap

• A VPC Endpoint allows twtech resources within a private VPC to connect to AWS services without using the public internet.
• VPC Endpoint improves security, latency, and compliance by keeping traffic within the AWS network backbone.
• There are two main types of endpoints:
• Gateway, 
• Interface,
• Plus a variant for PrivateLink-based services.

 1. Gateway Endpoints Overview

• A Gateway Endpoint is a target for a route in the VPC route table, directing traffic to supported AWS services without using an Internet Gateway, NAT, or VPN.

 Supported Services for Gateway Endpoints

• Amazon S3
• DynamoDB

 How Gateway Endpoint Works

1. twtech creates a Gateway Endpoint for S3 or DynamoDB.
2. AWS adds an entry in twtech route table for the target service prefix list (e.g., pl-xxxx).
3. Traffic from private subnets to the service goes directly through the AWS backbone.

 Characteristics of Gateway Endpoint (Features & Description)

Feature	Description
Type	Gateway
Connectivity	Route table entry
Used for	S3, DynamoDB
IP Addressing	No IPs assigned
Billing	No hourly charge
Scaling	Automatically scaled by AWS
Security	Policy-based (like bucket/VPC endpoint policies)

 Common Use Case of Gateway Endpoint

• Private EC2 instances accessing S3 buckets for application data without going over the internet.

 2. Interface Endpoints (AWS PrivateLink) Overview

• An Interface Endpoint uses Elastic Network Interfaces (ENIs) with private IPs in twtech subnets.
• An Interface Endpoint is powered by AWS PrivateLink, enabling private connectivity to AWS services, other AWS accounts, or AWS Marketplace partner services.

 Supported Services for Interface Endpoints

• Most AWS services (SSM, Secrets Manager, ECR API, CloudWatch, etc.)
• Third-party services (via AWS Marketplace)
• Custom services in twtech own VPC (PrivateLink)

 How Interface Endpoint Works

1. AWS creates an ENI in twtech subnet for the endpoint.
2. When twtech-app calls the service endpoint (e.g., ssm.us-east-2.amazonaws.com), DNS resolves to the private IP of that ENI.
3. Traffic stays inside AWS’s internal network.

 Characteristics of Interface Endpoint (Features & Description)

Feature	Description
Type	Interface
Connectivity	ENIs with private IPs
Used for	Most AWS services, PrivateLink
IP Addressing	Private IPs assigned in subnets
Billing	Hourly + data processing cost
Scaling	Managed automatically
Security	Controlled with endpoint policies and security groups

 Common Use Case of Interface Endpoint 

•  Allowing EC2 instances in private subnets to securely reach AWS Systems Manager, Secrets Manager, or ECR API.

 3. Gateway Load Balancer Endpoints (GWLBe) Overview

• A Gateway Load Balancer Endpoint is a special type of endpoint that enables traffic inspection and security appliances (firewalls, IDS/IPS) to be deployed transparently across VPCs.

 Supported Services for Gateway Load Balancer Endpoints (GWLBe)

• Gateway Load Balancer (GWLB)

 How Gateway Load Balancer Endpoint (GWLBe) Works

1. Acts as an entry point for traffic that needs to be inspected.
2. Traffic is tunneled using the GENEVE protocol between the endpoint and the GWLB.
3. The GWLB distributes traffic across security appliance instances.

 Characteristics of Gateway Load Balancer Endpoint (GWLBe) & Description

Feature	Description
Type	Gateway Load Balancer Endpoint
Connectivity	GENEVE encapsulation
Used for	Security/inspection traffic
IP Addressing	Not user-managed
Billing	Hourly + data processing cost
Security	Policy and security group based

 Common Use Case of Gateway Load Balancer Endpoint (GWLBe)

• Traffic redirection to third-party firewalls (like Palo Alto, Fortinet, Check Point) in centralized inspection VPCs.

 Summary Table for Endpoint Types (Description, Sample Services. Connection Methods, Billing & Security Control)

Type	Description	Sample Services	Connection Method	Billing	Security Control
Gateway Endpoint	Route-table based endpoint for AWS core data services	S3, DynamoDB	Route Table	Free	Endpoint Policy
Interface Endpoint	Private ENIs for AWS services and PrivateLink	SSM, Secrets Manager, CloudWatch, ECR API	ENI + DNS	$$	Security Group + Policy
Gateway Load Balancer Endpoint	Used with GWLB for traffic inspection	GWLB	GENEVE Tunnel	$$	Endpoint Policy

 Architecture Visualization

 Key Design Considerations

• DNS Resolution must be enabled (enableDnsSupport, enableDnsHostnames) for Interface Endpoints.
• Endpoint Policies control allowed operations.
• Security Groups apply to Interface Endpoints (not Gateway).
• Cross-account access possible with PrivateLink (Interface endpoints).
• Cost optimization: prefer Gateway Endpoints for S3/DynamoDB when possible (free).