9_Connecting Your AWS Environment

VPC Endpoints

Introduction

VPC endpoints facilitate connections between your Amazon Virtual Private Cloud (VPC) and managed AWS services without traversing the internet.

• Consider a scenario where an EC2 instance resides in a private subnet within a VPC and requires access to an Amazon S3 bucket in the same AWS account and region.
• Since Amazon S3 is a managed AWS service, it operates outside the VPC.
• Without a VPC endpoint, direct connectivity between the EC2 instance and the S3 bucket necessitates routing traffic over the internet.
  • This incurs data transfer costs and exposes data to potential security risks.

Solution: VPC Endpoints

• A VPC endpoint offers a direct and secure connection to AWS services from within your VPC.

Types of VPC Endpoints

1. Interface VPC Endpoints

• Powered by AWS PrivateLink, enabling VPC connectivity to a wide range of AWS services.
• In the given EC2-to-S3 example, the EC2 instance employs an interface VPC endpoint to connect to the S3 bucket.
• For each interface VPC endpoint, AWS provisions an elastic network interface with a private IP address drawn from the subnet's address range.
• IAM resource policies can be attached to the endpoint to govern access control.
• Considerations:
  • Hourly and monthly costs are associated with interface VPC endpoints.

2. Gateway VPC Endpoints

• Provide direct connectivity to Amazon S3 or Amazon DynamoDB via route tables, eliminating the need for PrivateLink.
• To route traffic to these services, the private VPC's route table must include a route to the gateway VPC endpoint, utilizing the service's prefix list.
  • A prefix list is a defined collection of CIDR blocks.
• Example: An EC2 instance uses two gateway VPC endpoints, one for connecting to an S3 bucket and another for connecting to a DynamoDB table.
• Considerations:
  • No additional charges are incurred for using gateway VPC endpoints.
  • No throughput or packet limits are imposed.
• Note: Amazon S3 supports both interface and gateway VPC endpoints.
  • The choice between them depends on the specific use case.

3. Gateway Load Balancer Endpoints

• A specialized type of VPC endpoint, also using PrivateLink.
• Facilitates private connectivity between a customer VPC and virtual appliances located in another VPC (e.g., a security service VPC).
• The endpoint resides in the customer VPC, while the gateway load balancer is deployed in the security service VPC.
• Traffic originating from the internet and destined for the customer VPC is routed to the gateway load balancer endpoint.
• The gateway load balancer distributes the traffic to EC2 security appliances for inspection.
• The security appliance processes the traffic and returns it to the gateway load balancer, which then forwards it back to the endpoint.
• The gateway load balancer endpoint then directs the traffic to the EC2 application.
• Outbound traffic from the EC2 instance follows the reverse path.

Key Takeaway

VPC endpoints enable VPC connectivity to managed AWS services without relying on the internet.

• Interface VPC endpoints:
  • Use PrivateLink.
  • Have associated costs and throughput limitations.
• Gateway VPC endpoints:
  • Integrate directly with Amazon S3 and Amazon DynamoDB through route tables.
  • Incur no additional costs and have no throughput limitations.
• Gateway Load Balancer endpoints:
  • Also use PrivateLink.
  • Specialize in working with Gateway Load Balancers for traffic routing to virtual appliances.