By using AWS re:Post, you agree to the Terms of Use

Ingress rules for a private subnet NACL with VPC endpoints: Are AWS service CIDR ranges required?


I have an API running on ECS Fargate behind an ALB. It's accessing data in DynamoDB. ECS is in a private subnet, ALB in a public subnet. I have VPC endpoints set up for all related services.

Until today, whenever I would try to apply a NACL to the private subnet, I would lose access to the API. I tried all manner of ingress/egress rules to no avail; I could only get it to work by disabling the NACL (or just opening it up to all addresses/ports).

The docs are kind of cryptic about NACLs and endpoints. I finally found a line somewhere that prompted me to look for service IP ranges which led me to this document re: public IP ranges. I added the Dynamo ranges for my region to the private subnet NACL and voila, it works.

But why does this work? These IPs I added to the NACL are public, but this is a subnet with no route to the public internet. The way I understood it, endpoints are assigned ENIs/private IPs from your subnet, so I'm having trouble understanding why ingress using the local CIDR wouldn't be enough.

2 Answers
Accepted Answer

There are two types of VPC Endpoints. One is Interface Type VPC endpoint and the other one is Gateway Type VPC Endpoint. Currently, DynamoDB does NOT support Interface type VPC endpoint but support Gateway Type VPC endpoint only. This is the reason why you need to add IP Range of Dynamo DB to NACL. If you use S3 VPC endpoint with Gateway Type, you must add S3 IP range as well.

Gateway Type VPC Endpoint does NOT have network interface and it's not final destination of client. The client will reach out the service(DynamoDB or S3) using Public IP through the endpoint. This is the reason why you must modify route table of each subnet you want to use Gateway Type VPC Endpoint to have route table with IP prefix of DynamoDB/S3.

Please refer to below.


answered 7 months ago
profile picture
reviewed 7 months ago
  • Thank you so much for explaining that. I completely forgot about the differences between interface and gateway!

  • Note that S3 now offers an interface endpoint option as well. DDB is the only VPC Endpoint with only a Gateway endpoint option


When you create the VPC Endpoint for DynamoDB, you must select a VPC and a Route Table. After creating the endpoint if you look at the route table you will see an entry with Destination pl-12345 and Target vpce-123456789abcdef. So any traffic destined for you DDB VPC Endpoint (VPCE) will be sent to Prefix List pl-12345. A Prefix List is a list of IP addresses. These used to be opaque, but in June 2020 AWS released functionality so you can manage and view prefix lists. So you can click on the PL in your Route table and see what IP addresses it contains.

AFAI can tell, you unfortunately cannot use the Prefix List directly in the NACL (at least not yet). But you could use the IP addresses in the list to configure your NACL.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions