Ref: https://learn.cantrill.io/courses/1820301/lectures/41301381 and https://learn.cantrill.io/courses/1820301/lectures/41301382

• Summary:
• Contents:

VPC Endpoints (VPCEs)

• 🔧 Allow private access to AWS services in the public zone
  • No need to provide additional infrastructure usually required to access public zone
• Two types:
  1. Gateway Endpoints (GWEs)
     • For S3 and DDB
  2. Interface Endpoints (IEs)
     • For other services (nowadays S3 also supported)
  • 💡 Both are very different in architecture!

VPC Gateway Endpoints (GWEs)

• 🔧 VPC gateway object that provides private access to S3 and DynamoDB (DDB)
  • 💡 S3 & DDB are public services… but GWEs allow you to access them privately
    • For now, those are the only 2 supported services for GWEs
  • A private resource can access S3/DDB without any other public-access infrastructure
• Created inside a VPC, per-service & per-region
  • ❗ GWEs are regional → NO access to cross-region services (e.g. DDB in a different region)
  • Associated with 1+ subnets in the VPC
  • 💡 Like IGWs (and unlike NATGWs), no need to worry about AZ placement
• Prefix List added to Route Table of associated subnets
  • GWE is the target of the prefix list → logical entity that represents S3/DDB
  • 💡 Conceptually, prefix list = list of IP addresses of S3/DDB, kept up to date by AWS
  • Any traffic destined for S3/DDB goes via GWE instead of IGW
  • ❗ No app reconfigurations/modifications required! App believes it's communicating directly with S3/DDB
• ‼️ GWEs do NOT go into particular subnets or AZs!
  • They're HA across all AZs in a region by default
• Endpoint policy → can be configured to control what will be accessed through that GWE
  • e.g. grant access only to a subset of S3 buckets instead of whole S3
• Two main use cases
  1. Allow resources access to S3/DDB while keeping private VPC security
  2. Support private S3 buckets = prevent leaky buckets
     • Make S3 bucket private-only by allowing access only from GWE (in bucket policy)
• ‼️ GWEs only accessible from inside the specific VPC they're created in!

Comparison: access to public services with and without GWE

Access S3 without GWE

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1800-ADVANCED_VPC_NETWORKING/00_LEARNINGAIDS/GatewayEndpoints-1.png