Menu
Amazon Virtual Private Cloud
User Guide

Gateway VPC Endpoints

To create and set up a gateway endpoint, follow these general steps:

  1. Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identified by a prefix list—the name and ID of a service for a region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form com.amazonaws.<region>.<service>. Use the prefix list name (service name) to create an endpoint.

  2. Attach an endpoint policy to your endpoint that allows access to some or all of the service to which you're connecting. For more information, see Using VPC Endpoint Policies.

  3. Specify one or more route tables to control the routing of traffic between your VPC and the other service. Subnets that use these route tables have access to the endpoint, and traffic from instances in these subnets to the service is then routed through the endpoint.

In the following diagram, instances in subnet 2 can access Amazon S3 through the gateway endpoint.


				Using a gateway endpoint to access Amazon S3

You can create multiple endpoints in a single VPC, for example, to multiple services. You can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.

After you've created an endpoint, you can modify the endpoint policy that's attached to your endpoint, and add or remove the route tables that are used by the endpoint.

There is no additional charge for using gateway endpoints. Standard charges for data transfer and resource usage apply. For more information about pricing, see Amazon EC2 Pricing.

Routing for Gateway Endpoints

When you create or modify an endpoint, you specify the VPC route tables that are used to access the service via the endpoint. A route is automatically added to each of the route tables with a destination that specifies the prefix list ID of the service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-xxxxxxxx); for example:

Destination Target
10.0.0.0/16 Local
pl-1a2b3c4d vpce-11bb22cc

The prefix list ID logically represents the range of public IP addresses used by the service. All instances in subnets associated with the specified route tables automatically use the endpoint to access the service; subnets that are not associated with the specified route tables do not use the endpoint. This enables you to keep resources in other subnets separate from your endpoint.

To view the current public IP address range for a service, you can use the describe-prefix-lists command.

Note

The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.

The following rules apply:

  • You can have multiple endpoint routes to different services in a route table, and you can have multiple endpoint routes to the same service in different route tables, but you cannot have multiple endpoints to the same service in a single route table. For example, if you have two endpoints to Amazon S3 in your VPC, you cannot use the same route table for both endpoints.

  • You cannot explicitly add, modify, or delete an endpoint route in your route table by using the route table APIs, or by using the Route Tables page in the Amazon VPC console. You can only add an endpoint route by associating a route table with an endpoint. To change the route tables that are associated with your endpoint, you can modify the endpoint.

  • An endpoint route is automatically deleted when you remove the route table association from the endpoint (by modifying the endpoint), or when you delete your endpoint.

We use the most specific route that matches the traffic to determine how to route the traffic (longest prefix match). If you have an existing route in your route table for all internet traffic (0.0.0.0/0) that points to an internet gateway, the endpoint route takes precedence for all traffic destined for the service, because the IP address range for the service is more specific than 0.0.0.0/0. All other internet traffic goes to your internet gateway, including traffic that's destined for the service in other regions.

However, if you have existing, more specific routes to IP address ranges that point to an internet gateway or a NAT device, those routes take precedence. If you have existing routes destined for an IP address range that is identical to the IP address range used by the service, then your routes take precedence.

Example: An Endpoint Route in a Route Table

In this scenario, you have an existing route in your route table for all internet traffic (0.0.0.0/0) that points to an internet gateway. Any traffic from the subnet that's destined for another AWS service uses the internet gateway.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d

You create an endpoint to a supported AWS service, and associate your route table with the endpoint. An endpoint route is automatically added to the route table, with a destination of pl-1a2b3c4d (assume this represents the service to which you've created the endpoint). Now, any traffic from the subnet that's destined for that AWS service in the same region goes to the endpoint, and does not go to the internet gateway. All other internet traffic goes to your internet gateway, including traffic that's destined for other services, and destined for the AWS service in other regions.

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-1a2b3c4d
pl-1a2b3c4d vpce-11bb22cc

Example: Adjusting Your Route Tables for Endpoints

In this scenario, you have configured your route table to enable instances in your subnet to communicate with Amazon S3 buckets through an internet gateway. You've added a route with 54.123.165.0/24 as a destination (assume this is an IP address range currently within Amazon S3), and the internet gateway as the target. You then create an endpoint, and associate this route table with the endpoint. An endpoint route is automatically added to the route table. You then use the describe-prefix-lists command to view the IP address range for Amazon S3. The range is 54.123.160.0/19, which is less specific than the range that's pointing to your internet gateway. This means that any traffic destined for the 54.123.165.0/24 IP address range continues to use the internet gateway, and does not use the endpoint (for as long as this remains the public IP address range for Amazon S3).

Destination Target
10.0.0.0/16 Local
54.123.165.0/24 igw-1a2b3c4d
pl-1a2b3c4d vpce-11bb22cc

To ensure that all traffic destined for Amazon S3 in the same region is routed via the endpoint, you must adjust the routes in your route table. To do this, you can delete the route to the internet gateway. Now, all traffic to Amazon S3 in the same region uses the endpoint, and the subnet that's associated with your route table is a private subnet.

Destination Target
10.0.0.0/16 Local
pl-1a2b3c4d vpce-11bb22cc

Gateway Endpoint Limitations

To use gateway endpoints, you need to be aware of the current limitations:

  • You cannot use a prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use a prefix list ID in an outbound security group rule. For more information, see Security Groups.

  • Endpoints are supported within the same region only. You cannot create an endpoint between a VPC and a service in a different region.

  • You cannot tag an endpoint.

  • Endpoints support IPv4 traffic only.

  • You cannot transfer an endpoint from one VPC to another, or from one service to another.

  • You have a limit on the number of endpoints you can create per VPC. For more information, see VPC Endpoints.

  • Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

  • You must enable DNS resolution in your VPC, or if you're using your own DNS server, ensure that DNS requests to the required service (such as Amazon S3) are resolved correctly to the IP addresses maintained by AWS. For more information, see Using DNS with Your VPC.

For more information about rules and limitations that are specific to Amazon S3, see Endpoints for Amazon S3.

For more information about rules and limitations that are specific to DynamoDB, see Endpoints for Amazon DynamoDB.

Creating a Gateway Endpoint

To create an endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection.

To create a gateway endpoint using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints, Create Endpoint.

  3. For Service Name, choose the service to which to connect. To create a gateway endpoint to DynamoDB or Amazon S3, ensure that the Type column indicates Gateway.

  4. Complete the following information, and choose Create endpoint.

    • For VPC, select a VPC in which to create the endpoint.

    • For Configure route tables, select the route tables to be used by the endpoint. We automatically add a route that points traffic destined for the service to the endpoint to the selected route tables.

    • For Policy, choose the type of policy. You can leave the default option, Full Access, to allow full access to the service. Alternatively, you can select Custom, and then use the AWS Policy Generator to create a custom policy, or type your own policy in the policy window.

After you've created an endpoint, you can view information about it.

To view information about a gateway endpoint using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints and select your endpoint.

  3. To view information about the endpoint, choose Summary. You can get the prefix list name for the service in the Service box.

  4. To view information about the route tables that are used by the endpoint, choose Route Tables.

  5. To view the IAM policy that's attached to your endpoint, choose Policy.

    Note

    The Policy tab only displays the endpoint policy. It does not display any information about IAM policies for IAM users that have permission to work with endpoints. It also does not display service-specific policies; for example, S3 bucket policies.

To create and view an endpoint using the AWS CLI

  1. Use the describe-vpc-endpoint-services command to get a list of available services. In the output that's returned, take note of the name of the service to which you want to connect. The serviceType field indicates whether you connect to the service via an interface endpoint or a gateway endpoint.

    aws ec2 describe-vpc-endpoint-services
    { "serviceDetailSet": [ { "serviceType": [ { "serviceType": "Gateway" } ...
  2. To create a gateway endpoint (for example, to Amazon S3), use the create-vpc-endpoint command and specify the VPC ID, service name, and route tables that will use the endpoint. You can optionally use the --policy-document parameter to specify a custom policy to control access to the service. If the parameter is not used, we attach a default policy that allows full access to the service.

    aws ec2 create-vpc-endpoint --vpc-id vpc-1a2b3c4d --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-11aa22bb
  3. Describe your endpoint using the describe-vpc-endpoints command.

    aws ec2 describe-vpc-endpoints

To describe available services using the AWS Tools for Windows PowerShell or API

To create a VPC endpoint using the AWS Tools for Windows PowerShell or API

To describe your VPC endpoints using the AWS Tools for Windows PowerShell or API

Modifying Your Security Group

If the VPC security group associated with your instance restricts outbound traffic, you must add a rule to allow traffic destined for the AWS service to leave your instance.

To add an outbound rule for a gateway endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select your VPC security group, choose the Outbound Rules tab, and then choose Edit.

  4. Select the type of traffic from the Type list, and enter the port range, if required. For example, if you use your instance to retrieve objects from Amazon S3, choose HTTPS from the Type list.

  5. The Destination list displays the prefix list IDs and names for the available AWS services. Choose the prefix list ID for the AWS service, or type it in.

  6. Choose Save.

For more information about security groups, see Security Groups for Your VPC.

To get the prefix list name, ID, and IP address range for an AWS service using the command line or API

Modifying a Gateway Endpoint

You can modify a gateway endpoint by changing or removing its policy, and adding or removing the route tables that are used by the endpoint.

To change the policy associated with a gateway endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints and select your endpoint.

  3. Choose Actions, Edit policy.

  4. You can choose Full Access to allow full access. Alternatively, choose Custom, and then use the AWS Policy Generator to create a custom policy, or type your own policy in the policy window. When you're done, choose Save.

    Note

    It can take a few minutes for policy changes to take effect.

To add or remove route tables used by a gateway endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints and select your endpoint.

  3. Choose Actions, Manage route tables.

  4. Select or deselect the required route tables, and choose Save.

To modify a gateway endpoint using the AWS CLI

  1. Use the describe-vpc-endpoints command to get the ID of your gateway endpoint.

    aws ec2 describe-vpc-endpoints
  2. The following example uses the modify-vpc-endpoint command to associate route table rtb-aaa222bb with the gateway endpoint, and reset the policy document.

    aws ec2 modify-vpc-endpoint --vpc-endpoint-id vpce-1a2b3c4d --add-route-table-ids rtb-aaa222bb --reset-policy

To modify a VPC endpoint using the AWS Tools for Windows PowerShell or an API