- 최신
- 최다 투표
- 가장 많은 댓글
There are two types of VPC Endpoints. One is Interface Type VPC endpoint and the other one is Gateway Type VPC Endpoint. Currently, DynamoDB does NOT support Interface type VPC endpoint but support Gateway Type VPC endpoint only. This is the reason why you need to add IP Range of Dynamo DB to NACL. If you use S3 VPC endpoint with Gateway Type, you must add S3 IP range as well.
Gateway Type VPC Endpoint does NOT have network interface and it's not final destination of client. The client will reach out the service(DynamoDB or S3) using Public IP through the endpoint. This is the reason why you must modify route table of each subnet you want to use Gateway Type VPC Endpoint to have route table with IP prefix of DynamoDB/S3.
Please refer to below. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/vpc-endpoints-dynamodb-tutorial.html
Thanks
When you create the VPC Endpoint for DynamoDB, you must select a VPC and a Route Table. After creating the endpoint if you look at the route table you will see an entry with Destination pl-12345 and Target vpce-123456789abcdef. So any traffic destined for you DDB VPC Endpoint (VPCE) will be sent to Prefix List pl-12345. A Prefix List is a list of IP addresses. These used to be opaque, but in June 2020 AWS released functionality so you can manage and view prefix lists. So you can click on the PL in your Route table and see what IP addresses it contains.
AFAI can tell, you unfortunately cannot use the Prefix List directly in the NACL (at least not yet). But you could use the IP addresses in the list to configure your NACL.
Thank you so much for explaining that. I completely forgot about the differences between interface and gateway!
Note that S3 now offers an interface endpoint option as well. DDB is the only VPC Endpoint with only a Gateway endpoint option