Get Started

VPC Interface Endpoint vs. Gateway Endpoint in AWS

Irene Bonso

·

·

VPC Interface Endpoint vs Gateway Endpoint

What is a VPC Endpoint?

With a VPC endpoint, you can establish a private connection to specific AWS services and VPC endpoint services through AWS PrivateLink. It eliminates the need for public IP addresses for communication between these services and your Amazon VPC instances. Furthermore, a secure connection is maintained since no information leaves the Amazon network while traveling between your Amazon VPC and the service.

VPC endpoints are virtual devices that enable communication between instances in an Amazon VPC and various services. These endpoints enhance network traffic without compromising availability or restricting bandwidth. They are designed to scale horizontally, ensuring redundancy and high availability within the Amazon VPC.

In this blog, we will discuss the two types of VPC endpoints.

  1. Interface Endpoint – a group of elastic network interfaces (ENI) created by the VPC in the subnet you specify. Each ENI is assigned a private IP address and serves as the primary entry point for traffic directed to a supported service. Although these ENIs are visible in your account, they are managed by Amazon VPC, meaning you don’t have direct control over them. Interface endpoints incur costs per hour, along with additional charges for data processing.

  1. Gateway Endpoint – functions similarly to an Internet Gateway but is specifically designed to route traffic within an Amazon VPC to a predefined prefix list. This prefix list contains IP ranges used by Amazon DynamoDB and Amazon S3. To enable this connectivity, you simply add a route in your VPC’s route table that directs traffic to the Gateway Endpoint, targeting the prefix list for Amazon S3 or DynamoDB. Unlike an Interface Endpoint, a Gateway Endpoint does not use AWS PrivateLink, and there are no additional charges for its use.

As shown in the table, the difference between the Interface Endpoint and the Gateway Endpoint

Interface Endpoint Gateway Endpoint
  • Supports many AWS Managed services, endpoint services hosted by other AWS customers and partners, and supported AWS Marketplace partner services.
  • Acts as an entry point for traffic to reach supported services through AWS PrivateLink.
  • Use a private IP address
  • Allow access from on-premise
  • Allow cross-region access through VPC peering via Transit Gateway
  • Additional charges
  • Associated on a subnet level
  • Traffic flows directly to the specific service through the interface endpoint.
  • It only supports connectivity to Amazon S3 and Amazon DynamoDB
  • Does not require an elastic network interface.
  • Requests must only originate from a VPC
  • Cross-region access is not allowed
  • No Cost
  • Associated on a VPC Level
  • Traffic is routed through the gateway endpoint to the specified AWS service.

In conclusion, we have identified the difference between the VPC Interface endpoint and the gateway endpoint, where Interface Endpoints enable connectivity to a wider range of services, while Gateway Endpoints are specifically designed for routing traffic to Amazon S3 and DynamoDB. I hope this blog helps since this is one of the important topics in the AWS Associate exam.

Irene Bonso

Leave a Reply

Your email address will not be published. Required fields are marked *