A deep
dive into VPC Endpoints.
Scope:
- The concept: VPC Endpoint
- Types of VPC Endpoints,
- Architecture Overview,
- How VPC Endpoints Work,
- Security Layers,
- Traffic Flow Sample – Interface
Endpoint,
- Pricing,
- VPC Endpoints vs Alternatives,
- Common Use Cases.
The concept:
VPC Endpoint
- A VPC Endpoint allows twtech
VPC to privately connect to AWS services — without traversing the public internet.
- VPC Endpoint Traffic stays
entirely within the AWS private network.
- Think of VPC Endpoint as a private on-ramp from twtech VPC to AWS services such as S3, DynamoDB, or custom services powered by PrivateLink.
Types of VPC Endpoints
There are three types of VPC endpoints:
|
Type |
Description |
Uses AWS PrivateLink? |
Typical Use Case |
|
Gateway Endpoint |
Targeted to a route table; used for
S3 and DynamoDB |
❌ No |
Access S3/DynamoDB privately |
|
Interface Endpoint |
ENI (Elastic Network Interface) with
a private IP |
✅ Yes |
Connect to most AWS or third-party
services privately |
|
Gateway Load Balancer
Endpoint (GWLBe) |
Used for traffic inspection /
third-party appliances |
✅ Yes |
Network security appliances,
firewalls, etc. |
Architecture Overview
1. Gateway Endpoint (S3/DynamoDB)
- Added as a target in your route
table.
- Routes specific service traffic (e.g. s3.amazonaws.com)
to the endpoint.
- No additional ENIs created.
- Free to use (no hourly cost).
2.
Interface Endpoint (PrivateLink)
- Creates an Elastic
Network Interface (ENI) in your subnet.
- Has a private
IP address that connects to
the AWS service.
- Each service is mapped to a DNS entry that resolves to the
private IP.
- Billing: per-hour
+ per-GB data processing charge.
3. Gateway Load Balancer Endpoint
- Used for service chaining, like
sending all outbound traffic through a firewall appliance.
- Combines
features of PrivateLink with load balancing and network inspection.
How VPC Endpoints Work
- DNS Redirection
- AWS automatically updates DNS records
for services like s3.amazonaws.com
to resolve to the private IP inside twtech VPC.
- twtech must enable:
- enableDnsHostnames
- enableDnsSupport
- Private Connectivity
- No NAT Gateway or Internet Gateway
required.
- Traffic never leaves the AWS network.
- Security
- Endpoint policies define which
resources can be accessed through the endpoint.
- Can combine with IAM and bucket
policies for fine-grained control.
Security Layers
|
Layer |
Purpose |
|
Endpoint Policy |
JSON-based IAM policy restricting
access via the endpoint |
|
Security Groups |
For Interface Endpoints (controls inbound/outbound) |
|
NACLs |
Network-level filtering |
|
IAM Policy / Resource
Policy |
Controls what actions are allowed on
target service |
Example Endpoint Policy (restrict S3
to one bucket):
# json
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::twtech-secure-bucket/*"]
}
]
}
Traffic Flow Sample – Interface Endpoint
NB:
· All traffic stays within
AWS’s private backbone
network.
Pricing
|
Type |
Cost Structure |
|
Gateway Endpoint |
Free (no hourly or data charge) |
|
Interface Endpoint |
Per-hour + per-GB processed |
|
GWLBe |
Per-hour + per-GB processed |
Best Practices
✅ Use Gateway
Endpoints for S3/DynamoDB to
reduce NAT data transfer cost
✅ Use Interface
Endpoints for private access to
critical services (e.g. SSM, Secrets
Manager)
✅ Enable
Private DNS for seamless service
access
✅ Restrict
Endpoint Policies to least
privilege
✅ Monitor via
CloudWatch + VPC Flow Logs
✅ Avoid open
Security Groups on Interface
Endpoints
VPC Endpoints vs Alternatives
|
Feature |
VPC
Endpoint |
NAT
Gateway |
Transit
Gateway |
|
Public
Internet Required |
❌ |
✅ |
Optional |
|
Private
AWS Access |
✅ |
❌ |
✅ |
|
Cost
Efficiency (for AWS traffic) |
✅ |
❌ |
⚙️ Depends |
|
Supports
Third-Party Services |
Interface/GWLB only |
❌ |
✅ |
Common Use Cases
- Access S3 privately from a private subnet
- Use AWS Systems Manager (SSM) Session Manager without
internet access
- Connect to Secrets Manager or ECR API
from private instances
- Route all outbound traffic through a security appliance via GWLB Endpoint
Project: Hands-On
How twtech use VPC Endpoints to privately connect to AWS services
Search for AWS service:
VPC
SSH (connect) to Bastion Host Instance from any terminal
already configure: twtech is using EC2 instance connect for this Project.
From Bastion Host Instance, connect into the Private EC2
instance in the VPC (twtechVPC)
How twtech access S3 buket from Private instance:twtechs3
Step-1:
· Create a role for the Private
instance in the VPC.
· Select the instance and navigate
to Security tab
Modify the IAM Role for the Private Instance:
Create a Role:
Select
trusted entity: Trusted entity type
Role is for: EC2
instances
Add
permissions
Name, review, and create
Step 1 & 2:
Step 2: Add permissions
Create role:
Return to IAM console, refresh and add update
Persmission:
Return to Private Instance terminal to make API calls for S3 with command:
aws s3 ls
Other commands to test connect:
ping think-with-tech.blogspot.com
curl google.com
How twtech connects to the Private instance with VPC
endpoints with Internet Gateway: with VPC Interface Endpoint
Step-1:
·
Edit the Rout
Table of the Private Subnet to remove Internet Gateway.
From: Local Connection & NAT Gateway Present
To : Local Connection Only (remove
the Nat Gateway)
Save changes:
twtech has just effectivtely preventing the Private
instance from access the internet
·
Verify if the
Private instance has internet again:
Step-2:
How twtech eventually connects to S3 service via the VPC
endpoint:
- From VPC console: Create a VPC endpoint
Create
endpoint: Interface Endpoint
Create the type of VPC endpoint
that supports the service, service network or resource to which twtech wants to
connect.
Services
Network settings: Select
the VPC in which to create the endpoint.
PrivateDNS Name: Enable
twtech needs to choose the AZ where Endpoint would be deployed: then associate them subnets
Select the Security group to attach the Endpoint:
Create endpoint:
Instead
of interface Endpoint , twtech may decide to create a VPC Gateway Endpoint.
Step-by-step:
Network settings
Route tables: Select the route to update, so requests
are sent through it: Private
Route Table (twtechPrivateRT)
Policy: full Access
Create endpoint:
What exactly is happening behind the Scenes:
·
An endpoint is
created and associate with the Private Route table
More detail can be got via the associated route table: twtechPrivateRT
twtech Explanation:
·
Some
of the traffic will be directed via the Private route table to VPC endpoints
Step-3:
Finally:
- twtech needs to verify whether VPC endpoint Gateway created provides service access to the Private instance
with the command.
- Again, there in no internet service in the private instance. Nat Gateway has been removed.
aws s3 ls
How twtech would list endpoint to specific regions: filfter commands with flags
aws s3 ls --region us-east-2
No comments:
Post a Comment