AWS VPC Endpoints: Introduction

VPC endpoint enables a user to connect with AWS services that are outside the VPC through a private link. VPC endpoints use AWS PrivateLinks in the backend with which users will be able to connect to AWS services without using public IP’s. Thus the traffic will not leave the Amazon network. AWS PrivateLinks are highly available, redundant and scalable technology. To know more about PrivateLinks please visit the AWS documentation here.

There are two types of VPC endpoints,

Interface Endpoints:

Interface Endpoints are Elastic Network Interfaces (ENI) with private IP addresses. ENI will act as the entry point for the traffic that is destined to a particular service. Services such as Amazon CloudWatch Logs, Amazon SNS, etc. are supported. Supported services can be bound to specific regions, for more information see the AWS documentation here.

Creation of SNS Interface Endpoint

Gateway Endpoints:

Gateway endpoints is a gateway targeted for a specific route in the routeing table. They can be used to route traffic to a destined AWS service. As of now, Amazon S3 and DynamoDB are the only services that are supported by gateway endpoints.

Creation of Gateway Endpoints

When the Gateway Endpoint is created to access the service, a route is automatically added to the route tables with a destination that has the prefix ID (pl-xxxxxxxx) of the service and the target with the endpoint ID (vpce- xxxxxxxx).

Configuration of Router Tables

Example: When you already have an existing route to the internet, traffic to other AWS services uses the same internet gateway. When you create an endpoint, a destination will be added in the route tables with a destination pointing to the service which we are using for the endpoint. Now all the traffic that is destined to the service (for which endpoint is created) will go through the endpoint, whereas rest of the internet traffic and traffic to other AWS services still uses the internet gateway.

IAM and VPC Endpoints

IAM (Identity and Access Management) users do not have permission to use VPC endpoints by default. We have to manually create an IAM user policy that allows users to have permission to access, modify or delete endpoints. Policy creation for gateway endpoints can be done along with the creation of VPC through VPC wizard.

Limitations of VPC Endpoints

Below are some of the limitations of VPC Endpoints:

1. Interface Endpoints currently does not support endpoint policies. Services are allowed with full access.
2. Interface Endpoints currently supports only TCP traffic.
3. We cannot tag Endpoints, like the way we do with EC2 instance.
4. Endpoints are only supported within the same region. You cannot use endpoints to connect a service from one region to a VPC in a different region.
5. Endpoints currently supports only IPv4 traffic.
6. An endpoint once created cannot be transferred from one VPC to another or to a different service.

VPC endpoints are very useful especially when you want to connect to an AWS service from within your VPC. Since these endpoints devices are virtual it is very easy to manage.

This Blog has moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.