Amazon Virtual Private Cloud
User Guide

VPC Endpoints

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.

Gateway Endpoints

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:

  • Amazon S3

  • DynamoDB

Controlling the Use of VPC Endpoints

By default, IAM users do not have permission to work with endpoints. You can create an IAM user policy that grants users the permissions to create, modify, describe, and delete endpoints. We currently do not support resource-level permissions for any of the ec2:*VpcEndpoint* API actions, or for the ec2:DescribePrefixLists action. You cannot create an IAM policy that grants users the permissions to use a specific endpoint or prefix list. The following is an example:

{ "Version": "2012-10-17", "Statement":[{ "Effect":"Allow", "Action":"ec2:*VpcEndpoint*", "Resource":"*" } ] }

For information about controlling access to services using VPC endpoints, see Controlling Access to Services with VPC Endpoints.