{"id":48931,"date":"2025-04-01T07:50:06","date_gmt":"2025-04-01T07:50:06","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48931"},"modified":"2026-02-21T07:27:21","modified_gmt":"2026-02-21T07:27:21","slug":"aws-vpc-endpoints-a-comprehensive-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-vpc-endpoints-a-comprehensive-guide\/","title":{"rendered":"AWS VPC Endpoints: A Comprehensive Guide"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1024x384.png\" alt=\"\" class=\"wp-image-48932\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1024x384.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-300x112.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-768x288.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1536x576.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-2048x768.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is an AWS VPC Endpoint?<\/h2>\n\n\n\n<p>An <strong>AWS VPC Endpoint<\/strong> enables you to <strong>privately connect<\/strong> your VPC to supported AWS services and VPC Endpoint services <strong>without using an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect<\/strong>. Endpoints are <strong>highly available, scalable<\/strong>, and eliminate the need for traffic to leave the AWS network.<\/p>\n\n\n\n<p>There are two types of VPC Endpoints:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Interface Endpoints<\/strong>: Powered by AWS PrivateLink, they use Elastic Network Interfaces (ENIs) with private IPs.<\/li>\n\n\n\n<li><strong>Gateway Endpoints<\/strong>: A gateway that is targeted for a specific route in your route table. Used only for S3 and DynamoDB.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Benefits of Using VPC Endpoints<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved Security<\/strong>: No exposure to the public internet<\/li>\n\n\n\n<li><strong>Lower Latency &amp; Better Performance<\/strong>: Data doesn&#8217;t leave AWS&#8217;s internal backbone<\/li>\n\n\n\n<li><strong>Reduced Data Transfer Costs<\/strong>: Avoid NAT Gateway and Internet Gateway charges<\/li>\n\n\n\n<li><strong>Simplicity<\/strong>: No need for complex configurations<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: Data flows within a private network, helping with compliance policies<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Supported AWS Services for VPC Endpoints<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Gateway Endpoints (only for):<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon S3<\/li>\n\n\n\n<li>Amazon DynamoDB<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Interface Endpoints (for many services, including):<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon EC2<\/li>\n\n\n\n<li>Amazon ECS<\/li>\n\n\n\n<li>Amazon ECR<\/li>\n\n\n\n<li>Amazon SNS<\/li>\n\n\n\n<li>Amazon SQS<\/li>\n\n\n\n<li>AWS KMS<\/li>\n\n\n\n<li>AWS Secrets Manager<\/li>\n\n\n\n<li>AWS Systems Manager (SSM)<\/li>\n\n\n\n<li>Amazon CloudWatch<\/li>\n\n\n\n<li>AWS Lambda<\/li>\n\n\n\n<li>API Gateway<\/li>\n\n\n\n<li>Amazon EventBridge<\/li>\n\n\n\n<li>AWS CodeBuild<\/li>\n\n\n\n<li>AWS Glue<\/li>\n\n\n\n<li>AWS Transfer Family<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 Full list: <a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/aws-services-that-support-privatelink.html\">https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/aws-services-that-support-privatelink.html<\/a><\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Use Cases for AWS VPC Endpoints<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd1f Practical Scenarios:<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Private Access to S3 for App Logs<\/strong>: EC2 instances write logs to S3 without internet exposure.<\/li>\n\n\n\n<li><strong>Private API Gateway Integration<\/strong>: Access REST APIs over Interface Endpoints securely.<\/li>\n\n\n\n<li><strong>Secure DynamoDB Access from Lambda<\/strong>: Lambda functions in private subnets query DynamoDB.<\/li>\n\n\n\n<li><strong>Private CloudWatch Logs Upload<\/strong>: Apps stream logs to CloudWatch Logs privately.<\/li>\n\n\n\n<li><strong>Private ECR Image Pulls in CI\/CD Pipelines<\/strong>: ECS or EC2 fetch container images securely from ECR.<\/li>\n\n\n\n<li><strong>Access Secrets Manager Without NAT<\/strong>: Apps fetch secrets from Secrets Manager in a private subnet.<\/li>\n\n\n\n<li><strong>Private SSM Access for Patch Management<\/strong>: Use SSM Agent in private subnets without NAT.<\/li>\n\n\n\n<li><strong>Analytics Pipelines Writing to S3<\/strong>: Glue jobs access S3 via Gateway Endpoints.<\/li>\n\n\n\n<li><strong>Secure VPC-to-S3 Data Transfer in Data Lakes<\/strong>: Lake Formation uses Gateway Endpoints.<\/li>\n\n\n\n<li><strong>KMS Encryption from VPC Resources<\/strong>: Encrypt\/decrypt files using KMS via Interface Endpoint.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">High-Level Step-by-Step Guide to Create a VPC Endpoint<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Gateway Endpoint (S3 or DynamoDB)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to the VPC Console<\/strong> \u2192 Endpoints \u2192 Create Endpoint<\/li>\n\n\n\n<li><strong>Select Endpoint Type<\/strong>: Gateway<\/li>\n\n\n\n<li><strong>Service Name<\/strong>: Choose &#8220;com.amazonaws..s3&#8221; or &#8220;dynamodb&#8221;<\/li>\n\n\n\n<li><strong>VPC<\/strong>: Select the VPC where endpoint will be created<\/li>\n\n\n\n<li><strong>Configure Route Tables<\/strong>: Choose which route tables to associate<\/li>\n\n\n\n<li><strong>Policy<\/strong>: Choose Full Access or Custom Policy<\/li>\n\n\n\n<li><strong>Create Endpoint<\/strong><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Interface Endpoint (for other services)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to the VPC Console<\/strong> \u2192 Endpoints \u2192 Create Endpoint<\/li>\n\n\n\n<li><strong>Select Endpoint Type<\/strong>: Interface<\/li>\n\n\n\n<li><strong>Service Name<\/strong>: Choose the AWS service to connect (e.g., com.amazonaws.region.ssm)<\/li>\n\n\n\n<li><strong>VPC<\/strong>: Select the VPC<\/li>\n\n\n\n<li><strong>Subnets<\/strong>: Select one or more subnets to place ENIs<\/li>\n\n\n\n<li><strong>Security Groups<\/strong>: Attach security groups to ENIs<\/li>\n\n\n\n<li><strong>Policy<\/strong>: Choose access policy<\/li>\n\n\n\n<li><strong>Enable Private DNS<\/strong> (optional): Let AWS resolve the service DNS to the private IP<\/li>\n\n\n\n<li><strong>Create Endpoint<\/strong><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Private DNS<\/strong> with Interface Endpoints where possible<\/li>\n\n\n\n<li>Attach <strong>least-privilege policies<\/strong> to restrict access<\/li>\n\n\n\n<li>Monitor endpoint usage with <strong>CloudTrail<\/strong> and <strong>VPC Flow Logs<\/strong><\/li>\n\n\n\n<li>Use <strong>interface endpoints<\/strong> for high-security zones<\/li>\n\n\n\n<li>Design subnets to include Interface Endpoints in required AZs<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>VPC Endpoints are an essential part of building secure, cost-effective, and highly available AWS architectures. They are particularly useful in environments that require <strong>no internet exposure<\/strong>, <strong>tight security controls<\/strong>, and <strong>high compliance standards<\/strong>.<\/p>\n\n\n\n<p>For complex architectures, combining VPC Endpoints with PrivateLink, Transit Gateway, and VPC Peering can help build a scalable and secure multi-account network.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-1 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"813\" data-id=\"48937\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1.png\" alt=\"\" class=\"wp-image-48937\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1.png 745w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1-275x300.png 275w\" sizes=\"auto, (max-width: 745px) 100vw, 745px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"607\" data-id=\"48940\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2.png\" alt=\"\" class=\"wp-image-48940\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2.png 882w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2-300x206.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2-768x529.png 768w\" sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-id=\"48939\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-1024x576.jpg\" alt=\"\" class=\"wp-image-48939\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-1024x576.jpg 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-300x169.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-768x432.jpg 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-355x199.jpg 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-id=\"48938\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-1024x576.jpg\" alt=\"\" class=\"wp-image-48938\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-1024x576.jpg 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-300x169.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-768x432.jpg 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-355x199.jpg 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"780\" data-id=\"48941\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5.png\" alt=\"\" class=\"wp-image-48941\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5.png 884w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5-300x265.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5-768x678.png 768w\" sizes=\"auto, (max-width: 884px) 100vw, 884px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"576\" data-id=\"48942\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7.png\" alt=\"\" class=\"wp-image-48942\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7-300x225.png 300w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n<\/figure>\n","protected":false},"excerpt":{"rendered":"<p>What is an AWS VPC Endpoint? An AWS VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC Endpoint services without using&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48931","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48931"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931\/revisions"}],"predecessor-version":[{"id":58938,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931\/revisions\/58938"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}