WKLD.12 – Use VPC endpoints to access supported services
In VPCs, resources that need to access AWS or other external services require either a
route to the internet (0.0.0.0/0
) or to the public IP address of the target
service. Use VPC endpoints to enable a private IP route from your VPC to supported AWS or
other services, preventing the need to use an internet gateway, NAT device, virtual private
network (VPN) connection, or AWS Direct Connect connection.
VPC endpoints support attaching policies and security groups to further control access to a service. For example, you can write a VPC endpoint policy for Amazon DynamoDB to allow only item-level actions and prevent table-level actions for all resources in the VPC, regardless of their own permission policy. You can also write an S3 bucket policy to allow only requests originating from a specific VPC endpoint, denying all other external access. A VPC endpoint can also have a security group rule that, for example, restricts access to only EC2 instances that are associated to an application-specific security group, such as the business-logic tier of a web application.
There are different kinds of VPC endpoints. You access most services by using a VPC
interface endpoint. DynamoDB is accessed using a gateway endpoint. Amazon S3 supports both interface
and gateway endpoints. Gateway endpoints are recommended for workloads contained within a
single AWS account and Region, and come at no additional charge. Interface endpoints are
recommended if more extensible access is required, such as to an S3 bucket from other VPCs,
from on-premises networks, or from different AWS Regions. Interface endpoints incur an
hourly uptime charge and a per-GB data-processing charge, both of which are lower than the
respective charges for sending the data to 0.0.0.0/0
through AWS NAT
Gateway.
See the following resources for additional information about using VPC endpoints:
-
For more information about selecting between gateway and interface endpoints for Amazon S3, see Choosing Your VPC Endpoint Strategy for Amazon S3
(AWS blog post). -
Create an interface endpoint (Amazon VPC documentation).
-
Create a gateway endpoint (Amazon VPC documentation).
-
For example S3 bucket policies that restrict access to a specific VPC or VPC endpoint, see Restricting access to a specific VPC (Amazon S3 documentation).
-
For example DynamoDB endpoint policies that restrict actions, see Endpoint policies for DynamoDB (Amazon VPC documentation).