{"id":48931,"date":"2025-04-01T07:50:06","date_gmt":"2025-04-01T07:50:06","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48931"},"modified":"2026-02-21T07:27:21","modified_gmt":"2026-02-21T07:27:21","slug":"aws-vpc-endpoints-a-comprehensive-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-vpc-endpoints-a-comprehensive-guide\/","title":{"rendered":"AWS VPC Endpoints: A Comprehensive Guide"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1024x384.png\" alt=\"\" class=\"wp-image-48932\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1024x384.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-300x112.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-768x288.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-1536x576.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/image-1-2048x768.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is an AWS VPC Endpoint?<\/h2>\n\n\n\n<p>An <strong>AWS VPC Endpoint<\/strong> enables you to <strong>privately connect<\/strong> your VPC to supported AWS services and VPC Endpoint services <strong>without using an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect<\/strong>. Endpoints are <strong>highly available, scalable<\/strong>, and eliminate the need for traffic to leave the AWS network.<\/p>\n\n\n\n<p>There are two types of VPC Endpoints:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Interface Endpoints<\/strong>: Powered by AWS PrivateLink, they use Elastic Network Interfaces (ENIs) with private IPs.<\/li>\n\n\n\n<li><strong>Gateway Endpoints<\/strong>: A gateway that is targeted for a specific route in your route table. Used only for S3 and DynamoDB.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Benefits of Using VPC Endpoints<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved Security<\/strong>: No exposure to the public internet<\/li>\n\n\n\n<li><strong>Lower Latency &amp; Better Performance<\/strong>: Data doesn&#8217;t leave AWS&#8217;s internal backbone<\/li>\n\n\n\n<li><strong>Reduced Data Transfer Costs<\/strong>: Avoid NAT Gateway and Internet Gateway charges<\/li>\n\n\n\n<li><strong>Simplicity<\/strong>: No need for complex configurations<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: Data flows within a private network, helping with compliance policies<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Supported AWS Services for VPC Endpoints<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Gateway Endpoints (only for):<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon S3<\/li>\n\n\n\n<li>Amazon DynamoDB<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Interface Endpoints (for many services, including):<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Amazon EC2<\/li>\n\n\n\n<li>Amazon ECS<\/li>\n\n\n\n<li>Amazon ECR<\/li>\n\n\n\n<li>Amazon SNS<\/li>\n\n\n\n<li>Amazon SQS<\/li>\n\n\n\n<li>AWS KMS<\/li>\n\n\n\n<li>AWS Secrets Manager<\/li>\n\n\n\n<li>AWS Systems Manager (SSM)<\/li>\n\n\n\n<li>Amazon CloudWatch<\/li>\n\n\n\n<li>AWS Lambda<\/li>\n\n\n\n<li>API Gateway<\/li>\n\n\n\n<li>Amazon EventBridge<\/li>\n\n\n\n<li>AWS CodeBuild<\/li>\n\n\n\n<li>AWS Glue<\/li>\n\n\n\n<li>AWS Transfer Family<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udd17 Full list: <a href=\"https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/aws-services-that-support-privatelink.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/vpc\/latest\/privatelink\/aws-services-that-support-privatelink.html<\/a><\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Use Cases for AWS VPC Endpoints<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd1f Practical Scenarios:<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Private Access to S3 for App Logs<\/strong>: EC2 instances write logs to S3 without internet exposure.<\/li>\n\n\n\n<li><strong>Private API Gateway Integration<\/strong>: Access REST APIs over Interface Endpoints securely.<\/li>\n\n\n\n<li><strong>Secure DynamoDB Access from Lambda<\/strong>: Lambda functions in private subnets query DynamoDB.<\/li>\n\n\n\n<li><strong>Private CloudWatch Logs Upload<\/strong>: Apps stream logs to CloudWatch Logs privately.<\/li>\n\n\n\n<li><strong>Private ECR Image Pulls in CI\/CD Pipelines<\/strong>: ECS or EC2 fetch container images securely from ECR.<\/li>\n\n\n\n<li><strong>Access Secrets Manager Without NAT<\/strong>: Apps fetch secrets from Secrets Manager in a private subnet.<\/li>\n\n\n\n<li><strong>Private SSM Access for Patch Management<\/strong>: Use SSM Agent in private subnets without NAT.<\/li>\n\n\n\n<li><strong>Analytics Pipelines Writing to S3<\/strong>: Glue jobs access S3 via Gateway Endpoints.<\/li>\n\n\n\n<li><strong>Secure VPC-to-S3 Data Transfer in Data Lakes<\/strong>: Lake Formation uses Gateway Endpoints.<\/li>\n\n\n\n<li><strong>KMS Encryption from VPC Resources<\/strong>: Encrypt\/decrypt files using KMS via Interface Endpoint.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">High-Level Step-by-Step Guide to Create a VPC Endpoint<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Gateway Endpoint (S3 or DynamoDB)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to the VPC Console<\/strong> \u2192 Endpoints \u2192 Create Endpoint<\/li>\n\n\n\n<li><strong>Select Endpoint Type<\/strong>: Gateway<\/li>\n\n\n\n<li><strong>Service Name<\/strong>: Choose &#8220;com.amazonaws..s3&#8221; or &#8220;dynamodb&#8221;<\/li>\n\n\n\n<li><strong>VPC<\/strong>: Select the VPC where endpoint will be created<\/li>\n\n\n\n<li><strong>Configure Route Tables<\/strong>: Choose which route tables to associate<\/li>\n\n\n\n<li><strong>Policy<\/strong>: Choose Full Access or Custom Policy<\/li>\n\n\n\n<li><strong>Create Endpoint<\/strong><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Interface Endpoint (for other services)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Go to the VPC Console<\/strong> \u2192 Endpoints \u2192 Create Endpoint<\/li>\n\n\n\n<li><strong>Select Endpoint Type<\/strong>: Interface<\/li>\n\n\n\n<li><strong>Service Name<\/strong>: Choose the AWS service to connect (e.g., com.amazonaws.region.ssm)<\/li>\n\n\n\n<li><strong>VPC<\/strong>: Select the VPC<\/li>\n\n\n\n<li><strong>Subnets<\/strong>: Select one or more subnets to place ENIs<\/li>\n\n\n\n<li><strong>Security Groups<\/strong>: Attach security groups to ENIs<\/li>\n\n\n\n<li><strong>Policy<\/strong>: Choose access policy<\/li>\n\n\n\n<li><strong>Enable Private DNS<\/strong> (optional): Let AWS resolve the service DNS to the private IP<\/li>\n\n\n\n<li><strong>Create Endpoint<\/strong><\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Private DNS<\/strong> with Interface Endpoints where possible<\/li>\n\n\n\n<li>Attach <strong>least-privilege policies<\/strong> to restrict access<\/li>\n\n\n\n<li>Monitor endpoint usage with <strong>CloudTrail<\/strong> and <strong>VPC Flow Logs<\/strong><\/li>\n\n\n\n<li>Use <strong>interface endpoints<\/strong> for high-security zones<\/li>\n\n\n\n<li>Design subnets to include Interface Endpoints in required AZs<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>VPC Endpoints are an essential part of building secure, cost-effective, and highly available AWS architectures. They are particularly useful in environments that require <strong>no internet exposure<\/strong>, <strong>tight security controls<\/strong>, and <strong>high compliance standards<\/strong>.<\/p>\n\n\n\n<p>For complex architectures, combining VPC Endpoints with PrivateLink, Transit Gateway, and VPC Peering can help build a scalable and secure multi-account network.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-1 is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"813\" data-id=\"48937\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1.png\" alt=\"\" class=\"wp-image-48937\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1.png 745w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-1-275x300.png 275w\" sizes=\"auto, (max-width: 745px) 100vw, 745px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"607\" data-id=\"48940\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2.png\" alt=\"\" class=\"wp-image-48940\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2.png 882w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2-300x206.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-2-768x529.png 768w\" sizes=\"auto, (max-width: 882px) 100vw, 882px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-id=\"48939\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-1024x576.jpg\" alt=\"\" class=\"wp-image-48939\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-1024x576.jpg 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-300x169.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-768x432.jpg 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3-355x199.jpg 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-3.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" data-id=\"48938\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-1024x576.jpg\" alt=\"\" class=\"wp-image-48938\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-1024x576.jpg 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-300x169.jpg 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-768x432.jpg 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4-355x199.jpg 355w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-4.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"780\" data-id=\"48941\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5.png\" alt=\"\" class=\"wp-image-48941\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5.png 884w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5-300x265.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-5-768x678.png 768w\" sizes=\"auto, (max-width: 884px) 100vw, 884px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"576\" data-id=\"48942\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7.png\" alt=\"\" class=\"wp-image-48942\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/04\/AWS-VPC-Endpoints-7-300x225.png 300w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n<\/figure>\n","protected":false},"excerpt":{"rendered":"<p>What is an AWS VPC Endpoint? An AWS VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC Endpoint services without using an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect. Endpoints are highly available, scalable, and eliminate the need for traffic to leave the AWS network. There&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48931","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48931"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931\/revisions"}],"predecessor-version":[{"id":58938,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48931\/revisions\/58938"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}