2.3. VPC Endpoints (Gateway)

What is the purpose of a Gateway Endpoint in AWS?

To enable private access to certain public AWS services (S3 and DynamoDB) without needing public IPs, NAT, or internet gateways.

Which AWS services are supported by Gateway Endpoints?

Amazon S3 and Amazon DynamoDB.

Are Gateway Endpoints used for IPv4, IPv6, or both?

They are primarily used for IPv4 private instances to access public services like S3 without exposing them to the internet.

What key benefit do Gateway Endpoints provide over NAT gateways?

They avoid using the internet altogether for accessing S3/DynamoDB and do not require public IPs or NAT gateways, improving security and performance.

Can Gateway Endpoints be used to access services in a different AWS region?

No, Gateway Endpoints can only access services within the same region.

Are Gateway Endpoints deployed into a subnet like interface endpoints?

No, they are not deployed into subnets; instead, a prefix list route is added to route tables for selected subnets.

What is a prefix list in the context of Gateway Endpoints?

A managed list of IP ranges used by AWS services (like S3), which is used as a destination in VPC route tables.

Are Gateway Endpoints highly available?

Yes, they are highly available by default across all AZs in a region.

Can you apply access control to Gateway Endpoints?

Yes, via endpoint policies, which control what resources (e.g., S3 buckets) the endpoint can access.

Can you use Gateway Endpoints in a VPC with no Internet Gateway or NAT?

Yes, that's one of the primary use cases — private VPCs with no public access but needing access to S3 or DynamoDB.

Can you restrict access to an S3 bucket to only allow access from a Gateway Endpoint?

Yes, using a bucket policy that restricts access to only requests coming through a specific Gateway Endpoint.

What kind of traffic is routed through the Gateway Endpoint?

Traffic destined for S3 or DynamoDB from instances in the associated subnets — as determined by the route table and prefix list.

Can you use Gateway Endpoints from another VPC via peering or Transit Gateway?

No, Gateway Endpoints are only usable from within the VPC where they are created.

What happens in the route table when a Gateway Endpoint is created?

A route is added with the prefix list for S3 or DynamoDB as the destination, and the Gateway Endpoint as the target.

How are Gateway Endpoints different from Interface Endpoints?

Gateway Endpoints use route table entries and prefix lists, whereas Interface Endpoints are ENIs deployed into subnets and use private IPs.

Do you need to manage the IP ranges for AWS services manually when using Gateway Endpoints?

No, AWS manages the prefix list behind the scenes.

If you want to allow EC2 instances in a private subnet to download software updates from S3, what can you use?

A Gateway Endpoint for S3 — to allow private EC2 instances to access S3 without internet access.

Do Gateway Endpoints support IPv6?

They are primarily designed for IPv4 private resources; IPv6 support is not typical with gateway endpoints.