AWS VPC Endpoints Complete Guide

Table of Contents

What are AWS VPC Endpoints?

AWS VPC Endpoints are virtual devices that enable private connectivity between your VPC and AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect. They provide a secure, scalable way to access AWS services from within your VPC while keeping traffic within the AWS network backbone.

VPC endpoints are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.

Types of VPC Endpoints

Gateway Endpoints

Route table-based endpoints for S3 and DynamoDB. Traffic is routed through your VPC route table to the service.

Interface Endpoints

ENI-based endpoints with private IP addresses for most AWS services. Uses AWS PrivateLink technology.

Gateway Load Balancer Endpoints

Endpoints for third-party virtual appliances like firewalls, intrusion detection systems, and deep packet inspection systems.

Feature Gateway Endpoint Interface Endpoint
Supported Services S3, DynamoDB Most AWS services (EC2, Lambda, SNS, SQS, etc.)
Implementation Route table entries Elastic Network Interface (ENI)
DNS Resolution Uses service's public DNS names Private DNS names available
Pricing No additional charges Hourly charges + data processing
Availability Zones Regional (all AZs) Specific AZs (recommended: multiple)

Key Benefits

🔒 Enhanced Security

Traffic never leaves the AWS network, reducing exposure to internet-based attacks and eliminating the need for internet gateways.

⚡ Improved Performance

Lower latency and higher throughput by keeping traffic within AWS's high-speed backbone network.

💰 Cost Optimization

Reduce NAT Gateway costs and data transfer charges by eliminating internet routing for AWS service communications.

🛡️ Compliance Ready

Meet regulatory requirements by ensuring data doesn't traverse the public internet.

Architecture Diagrams

Traditional Architecture (Without VPC Endpoints)

graph TB subgraph "Your VPC" EC2[EC2 Instance
Private Subnet] NAT[NAT Gateway
Public Subnet] IGW[Internet Gateway] EC2 --> NAT NAT --> IGW end IGW --> Internet[Internet] Internet --> S3[Amazon S3] Internet --> DDB[DynamoDB] Internet --> Lambda[AWS Lambda] style EC2 fill:#3498db,stroke:#2980b9,color:#fff style NAT fill:#e74c3c,stroke:#c0392b,color:#fff style IGW fill:#f39c12,stroke:#e67e22,color:#fff style S3 fill:#27ae60,stroke:#229954,color:#fff style DDB fill:#9b59b6,stroke:#8e44ad,color:#fff style Lambda fill:#e67e22,stroke:#d35400,color:#fff

Optimized Architecture (With VPC Endpoints)

graph TB subgraph "Your VPC" EC2[EC2 Instance
Private Subnet] subgraph "VPC Endpoints" GW_EP[Gateway Endpoint
S3 & DynamoDB] INT_EP[Interface Endpoint
Lambda & Other Services] end EC2 --> GW_EP EC2 --> INT_EP end GW_EP -.->|Private Connection| S3[Amazon S3] GW_EP -.->|Private Connection| DDB[DynamoDB] INT_EP -.->|AWS PrivateLink| Lambda[AWS Lambda] INT_EP -.->|AWS PrivateLink| SNS[Amazon SNS] style EC2 fill:#3498db,stroke:#2980b9,color:#fff style GW_EP fill:#27ae60,stroke:#229954,color:#fff style INT_EP fill:#9b59b6,stroke:#8e44ad,color:#fff style S3 fill:#27ae60,stroke:#229954,color:#fff style DDB fill:#9b59b6,stroke:#8e44ad,color:#fff style Lambda fill:#e67e22,stroke:#d35400,color:#fff style SNS fill:#f39c12,stroke:#e67e22,color:#fff

Interface Endpoint Detailed Architecture

graph TB subgraph "Availability Zone A" EC2A[EC2 Instance] ENIA[ENI
10.0.1.100] EC2A --> ENIA end subgraph "Availability Zone B" EC2B[EC2 Instance] ENIB[ENI
10.0.2.100] EC2B --> ENIB end subgraph "VPC Endpoint" ENIA -.->|Private DNS| Service[AWS Service
e.g., Lambda] ENIB -.->|Private DNS| Service end subgraph "Security & Policy" SG[Security Groups] EP[Endpoint Policy] Service --> SG Service --> EP end style EC2A fill:#3498db,stroke:#2980b9,color:#fff style EC2B fill:#3498db,stroke:#2980b9,color:#fff style ENIA fill:#9b59b6,stroke:#8e44ad,color:#fff style ENIB fill:#9b59b6,stroke:#8e44ad,color:#fff style Service fill:#e67e22,stroke:#d35400,color:#fff style SG fill:#e74c3c,stroke:#c0392b,color:#fff style EP fill:#f39c12,stroke:#e67e22,color:#fff

AWS CLI Configuration

Creating a Gateway Endpoint (S3)

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-east-1.s3 \
    --route-table-ids rtb-12345678 rtb-87654321 \
    --region us-east-1
Explanation: This command creates a gateway endpoint for Amazon S3. The endpoint is associated with the specified VPC and route tables. Traffic to S3 will be automatically routed through this endpoint instead of the internet gateway. The route table IDs should include all route tables for subnets that need to access S3 privately.

Creating an Interface Endpoint (Lambda)

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-east-1.lambda \
    --route-table-ids rtb-12345678 \
    --subnet-ids subnet-12345678 subnet-87654321 \
    --security-group-ids sg-12345678 \
    --private-dns-enabled \
    --region us-east-1
Explanation: This creates an interface endpoint for AWS Lambda. Unlike gateway endpoints, interface endpoints require subnet IDs (preferably in multiple AZs for high availability) and security groups. The --private-dns-enabled flag allows you to use the service's regular DNS names, which will resolve to the endpoint's private IP addresses.

Creating a VPC Endpoint with Custom Policy

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-east-1.s3 \
    --route-table-ids rtb-12345678 \
    --policy-document file://s3-endpoint-policy.json \
    --region us-east-1
Explanation: This command creates a gateway endpoint with a custom IAM policy. The policy document controls which AWS principals can use the endpoint and what actions they can perform. This is crucial for implementing least-privilege access and compliance requirements.

Sample Endpoint Policy (s3-endpoint-policy.json)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-company-bucket",
        "arn:aws:s3:::my-company-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalVpc": "vpc-12345678"
        }
      }
    }
  ]
}
Explanation: This policy restricts the endpoint to only allow specific S3 actions on a particular bucket, and only from resources within the specified VPC. The condition ensures that only resources in your VPC can use the endpoint, adding an extra layer of security.

Listing VPC Endpoints

aws ec2 describe-vpc-endpoints \
    --filters Name=vpc-id,Values=vpc-12345678 \
    --region us-east-1
Explanation: This command lists all VPC endpoints in a specific VPC. It's useful for auditing your endpoint configuration and getting endpoint IDs for further operations. You can add additional filters to narrow down results by service name, state, or other attributes.

Modifying VPC Endpoint Policy

aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id vpce-12345678 \
    --policy-document file://updated-s3-endpoint-policy.json \
    --region us-east-1
Explanation: This command updates the IAM policy attached to an existing VPC endpoint. This is useful when you need to modify access permissions without recreating the entire endpoint. Changes take effect immediately.

Adding Route Tables to Gateway Endpoint

aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id vpce-12345678 \
    --add-route-table-ids rtb-11111111 rtb-22222222 \
    --region us-east-1
Explanation: This command adds additional route tables to an existing gateway endpoint. This is useful when you create new subnets or want to extend endpoint access to additional parts of your VPC. The endpoint routes will be automatically added to these route tables.

Removing Route Tables from Gateway Endpoint

aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id vpce-12345678 \
    --remove-route-table-ids rtb-11111111 \
    --region us-east-1
Explanation: This removes route tables from a gateway endpoint, effectively disabling private access to the AWS service from subnets associated with those route tables. Traffic from those subnets will revert to using internet routing if available.

Deleting a VPC Endpoint

aws ec2 delete-vpc-endpoint \
    --vpc-endpoint-id vpce-12345678 \
    --region us-east-1
Explanation: This permanently deletes a VPC endpoint. For gateway endpoints, routes to the AWS service are removed from associated route tables. For interface endpoints, the ENIs are deleted. Ensure this won't disrupt your application's connectivity before deletion.

Creating Interface Endpoint with Multiple AZs

aws ec2 create-vpc-endpoint \
    --vpc-id vpc-12345678 \
    --service-name com.amazonaws.us-east-1.ec2 \
    --subnet-ids subnet-1a111111 subnet-1b222222 subnet-1c333333 \
    --security-group-ids sg-12345678 \
    --private-dns-enabled \
    --region us-east-1
Explanation: This creates an interface endpoint for EC2 API across three availability zones for high availability. Having ENIs in multiple AZs ensures that if one AZ becomes unavailable, your applications can still access the AWS service through the endpoint in another AZ.

Monitoring and Troubleshooting

CloudWatch Metrics for VPC Endpoints

aws cloudwatch get-metric-statistics \
    --namespace AWS/VpcFlowLogs \
    --metric-name PacketDrop \
    --dimensions Name=VpcId,Value=vpc-12345678 \
    --start-time 2025-07-01T00:00:00Z \
    --end-time 2025-07-01T23:59:59Z \
    --period 3600 \
    --statistics Sum
Explanation: This command retrieves CloudWatch metrics for packet drops in your VPC, which can help identify connectivity issues with VPC endpoints. Monitor these metrics to ensure your endpoints are functioning correctly and not dropping traffic due to security group or routing misconfigurations.

VPC Flow Logs Analysis

aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name VPCFlowLogs \
    --deliver-logs-permission-arn arn:aws:iam::123456789012:role/flowlogsRole
Explanation: This enables VPC Flow Logs to capture information about IP traffic going to and from network interfaces in your VPC. This is crucial for troubleshooting VPC endpoint connectivity issues and verifying that traffic is indeed flowing through your endpoints rather than the internet.

Best Practices

🔄 High Availability

Deploy interface endpoints across multiple Availability Zones to ensure resilience against AZ failures.

🔐 Security Groups

Configure restrictive security groups for interface endpoints, allowing only necessary ports and protocols.

📋 Endpoint Policies

Use endpoint policies to implement fine-grained access control and adhere to principle of least privilege.

📊 Monitoring

Enable VPC Flow Logs and CloudWatch monitoring to track endpoint usage and troubleshoot issues.

💡 DNS Configuration

Enable private DNS for interface endpoints to use familiar service DNS names without code changes.

🏷️ Tagging Strategy

Implement consistent tagging for endpoints to enable cost tracking, automation, and resource management.

Key Security Considerations

Network ACLs: Ensure subnet Network ACLs allow traffic to/from VPC endpoint IP ranges.

Route Table Priority: VPC endpoint routes take precedence over internet gateway routes for AWS services.

Cross-Account Access: Use resource-based policies and endpoint policies together for secure cross-account scenarios.

Private DNS: Verify that your VPC has DNS resolution and DNS hostnames enabled for private DNS to work.

🚀 Ready to Implement VPC Endpoints?

Start with gateway endpoints for S3 and DynamoDB for immediate cost savings, then gradually implement interface endpoints for other services based on your security and compliance requirements.