VPC Gateway Endpoints
These are AWS Service that will help you to privately connect your VPC to an AWS Cloud Service without requiring an internet Gateway, NAT Gateway, VPN Gateway or AWS Direct Connect Service.
- It is required when your internal instance requires to access public AWS Programming Interface (API’s) like Amazon EC2 Instances, Amazon Redshift etc.
- With The VPC Endpoint service, Traffic between your VPC and AWS Cloud Service will not leave Amazon Network.
- VPC Endpoint provides granular access control to service which are been accessed by using this facility.
- VPC Endpoint supports VPC Endpoint policy which is an AWS Identity and Access Management (IAM) resource Policy, that is attached to an Endpoint either while Creation or While doing any Modification to existing Endpoints.
There are two type of VPC Endpoint, which can be sued to access services Privately.
- Gateway VPC Endpoint
- Interface VPC Endpoint
Gateway VPC Endpoint
With The Gateway Endpoint Service, it will enable you to create a private connection between your VPC and AWS Cloud Service without requiring Internet Gateway, Nat Gateway, or VPN Connection, AWS Direct Connect.
- When you will use this Gateway VPC Endpoint Service, in your Route table, it will appear as a target for traffic destined to an AWS Cloud Service.
- This Type of Endpoint service are very much used for Amazon S3 and Dynamo DB.
Amazon S3 Endpoint:
Using this Service, you can connect S3 Privately from your VPC.
- When S3 Endpoint is created, a prefix-list and a VPC Endpoint are created in your VPC. Prefix –List contains all IP address that Amazon S3 uses and is seen as pl-xxxxxxx and become available option for routing in both Subnet Routing table and Security Groups.
- VPC Endpoint can be seen as in format like vpce-xxxxxx and it also appears as route destination or target in your route-tables.
- These Destination Prefix List and its target will be preset in Route table for those subnet, which you have used to create Amazon S3 Endpoint.
Below figure shows how Private Subnet is used to connect to S3 via VPC S3 Gateway Endpoints and having route table.