Should I use a an Interface VPC endpoint or a Gateway VPC endpoint?

0

Hello,

Firstly I would like my ECS task that resides inside my private subnet in my VPC to be able to pick up a file from a private S3 bucket which resides within the AWS Cloud but outside my VPC. Should I use an Interface VPC endpoint or a Gateway endpoint?

I would also like the same task to then publish a message to an SNS topic also residing outside my VPC, my question is again which VPC endpoint type to use and why?

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is. I get that with the Gateway endpoint you get a route added to the private subnet route table whereas with the Interface endpoint you get an ENI with a private IP for the service I want to hit.

Thanks for any help, it's my first time setting this up! :)

taxmann
asked 6 months ago1889 views
3 Answers
1
Accepted Answer

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is.

This is because some AWS services support Interface endpoint and others support Gateway endpoint. Use the one which your target service supports.

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-view-available-services

Here are the commands to check which services support Interface endpoint, and which support Gateway endpoint.

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --query ServiceNames 
[
    "aws.api.ap-northeast-1.kendra-ranking",
    "aws.sagemaker.ap-northeast-1.notebook",
    "aws.sagemaker.ap-northeast-1.studio",
    "com.amazonaws.ap-northeast-1.access-analyzer",
    "com.amazonaws.ap-northeast-1.acm-pca",
    "com.amazonaws.ap-northeast-1.airflow.api",
    "com.amazonaws.ap-northeast-1.airflow.env",
    "com.amazonaws.ap-northeast-1.airflow.ops",
    "com.amazonaws.ap-northeast-1.app-integrations",
    "com.amazonaws.ap-northeast-1.application-autoscaling",
    "com.amazonaws.ap-northeast-1.appmesh",
    "com.amazonaws.ap-northeast-1.appmesh-envoy-management",
    "com.amazonaws.ap-northeast-1.apprunner",
    "com.amazonaws.ap-northeast-1.apprunner.requests",
    "com.amazonaws.ap-northeast-1.appstream.api",
    "com.amazonaws.ap-northeast-1.appstream.streaming",
    "com.amazonaws.ap-northeast-1.appsync-api",
    "com.amazonaws.ap-northeast-1.aps",
    "com.amazonaws.ap-northeast-1.aps-workspaces",
    "com.amazonaws.ap-northeast-1.athena",
    "com.amazonaws.ap-northeast-1.auditmanager",
    "com.amazonaws.ap-northeast-1.autoscaling",
    "com.amazonaws.ap-northeast-1.autoscaling-plans",
    "com.amazonaws.ap-northeast-1.awsconnector",
    "com.amazonaws.ap-northeast-1.backup",
    "com.amazonaws.ap-northeast-1.backup-gateway",
    "com.amazonaws.ap-northeast-1.batch",
    "com.amazonaws.ap-northeast-1.cassandra",
    "com.amazonaws.ap-northeast-1.cleanrooms",
    "com.amazonaws.ap-northeast-1.cloudcontrolapi",
    "com.amazonaws.ap-northeast-1.cloudformation",
    "com.amazonaws.ap-northeast-1.cloudhsmv2",
    "com.amazonaws.ap-northeast-1.cloudtrail",
    "com.amazonaws.ap-northeast-1.codeartifact.api",
    "com.amazonaws.ap-northeast-1.codeartifact.repositories",
    "com.amazonaws.ap-northeast-1.codebuild",
    "com.amazonaws.ap-northeast-1.codecommit",
    "com.amazonaws.ap-northeast-1.codedeploy",
    "com.amazonaws.ap-northeast-1.codedeploy-commands-secure",
    "com.amazonaws.ap-northeast-1.codeguru-profiler",
    "com.amazonaws.ap-northeast-1.codeguru-reviewer",
    "com.amazonaws.ap-northeast-1.codepipeline",
    "com.amazonaws.ap-northeast-1.codestar-connections.api",
    "com.amazonaws.ap-northeast-1.comprehend",
    "com.amazonaws.ap-northeast-1.config",
    "com.amazonaws.ap-northeast-1.data-servicediscovery",
    "com.amazonaws.ap-northeast-1.databrew",
    "com.amazonaws.ap-northeast-1.dataexchange",
    "com.amazonaws.ap-northeast-1.datasync",
    "com.amazonaws.ap-northeast-1.deviceadvisor.iot",
    "com.amazonaws.ap-northeast-1.devops-guru",
    "com.amazonaws.ap-northeast-1.dms",
    "com.amazonaws.ap-northeast-1.drs",
    "com.amazonaws.ap-northeast-1.ebs",
    "com.amazonaws.ap-northeast-1.ec2",
    "com.amazonaws.ap-northeast-1.ec2messages",
    "com.amazonaws.ap-northeast-1.ecr.api",
    "com.amazonaws.ap-northeast-1.ecr.dkr",
    "com.amazonaws.ap-northeast-1.ecs",
    "com.amazonaws.ap-northeast-1.ecs-agent",
    "com.amazonaws.ap-northeast-1.ecs-telemetry",
    "com.amazonaws.ap-northeast-1.eks",
    "com.amazonaws.ap-northeast-1.elastic-inference.runtime",
    "com.amazonaws.ap-northeast-1.elasticache",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk-health",
    "com.amazonaws.ap-northeast-1.elasticfilesystem",
    "com.amazonaws.ap-northeast-1.elasticfilesystem-fips",
    "com.amazonaws.ap-northeast-1.elasticloadbalancing",
    "com.amazonaws.ap-northeast-1.elasticmapreduce",
    "com.amazonaws.ap-northeast-1.email-smtp",
    "com.amazonaws.ap-northeast-1.emr-containers",
    "com.amazonaws.ap-northeast-1.emr-serverless",
    "com.amazonaws.ap-northeast-1.events",
    "com.amazonaws.ap-northeast-1.evidently",
    "com.amazonaws.ap-northeast-1.evidently-dataplane",
    "com.amazonaws.ap-northeast-1.execute-api",
    "com.amazonaws.ap-northeast-1.fis",
    "com.amazonaws.ap-northeast-1.forecast",
    "com.amazonaws.ap-northeast-1.forecastquery",
    "com.amazonaws.ap-northeast-1.fsx",
    "com.amazonaws.ap-northeast-1.git-codecommit",
    "com.amazonaws.ap-northeast-1.glue",
    "com.amazonaws.ap-northeast-1.grafana",
    "com.amazonaws.ap-northeast-1.grafana-workspace",
    "com.amazonaws.ap-northeast-1.greengrass",
    "com.amazonaws.ap-northeast-1.guardduty-data",
    "com.amazonaws.ap-northeast-1.identitystore",
    "com.amazonaws.ap-northeast-1.imagebuilder",
    "com.amazonaws.ap-northeast-1.inspector2",
    "com.amazonaws.ap-northeast-1.iot.data",
    "com.amazonaws.ap-northeast-1.iot.fleethub.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.data",
    "com.amazonaws.ap-northeast-1.iotwireless.api",
    "com.amazonaws.ap-northeast-1.kendra",
    "com.amazonaws.ap-northeast-1.kinesis-firehose",
    "com.amazonaws.ap-northeast-1.kinesis-streams",
    "com.amazonaws.ap-northeast-1.kms",
    "com.amazonaws.ap-northeast-1.kms-fips",
    "com.amazonaws.ap-northeast-1.lakeformation",
    "com.amazonaws.ap-northeast-1.lambda",
    "com.amazonaws.ap-northeast-1.license-manager",
    "com.amazonaws.ap-northeast-1.license-manager-user-subscriptions",
    "com.amazonaws.ap-northeast-1.logs",
    "com.amazonaws.ap-northeast-1.lookoutmetrics",
    "com.amazonaws.ap-northeast-1.lookoutvision",
    "com.amazonaws.ap-northeast-1.lorawan.cups",
    "com.amazonaws.ap-northeast-1.lorawan.lns",
    "com.amazonaws.ap-northeast-1.m2",
    "com.amazonaws.ap-northeast-1.macie2",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.mainnet",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.testnet",
    "com.amazonaws.ap-northeast-1.mediaconnect",
    "com.amazonaws.ap-northeast-1.memory-db",
    "com.amazonaws.ap-northeast-1.mgn",
    "com.amazonaws.ap-northeast-1.migrationhub-orchestrator",
    "com.amazonaws.ap-northeast-1.migrationhub-strategy",
    "com.amazonaws.ap-northeast-1.models-v2-lex",
    "com.amazonaws.ap-northeast-1.monitoring",
    "com.amazonaws.ap-northeast-1.nimble",
    "com.amazonaws.ap-northeast-1.pca-connector-ad",
    "com.amazonaws.ap-northeast-1.personalize",
    "com.amazonaws.ap-northeast-1.personalize-events",
    "com.amazonaws.ap-northeast-1.personalize-runtime",
    "com.amazonaws.ap-northeast-1.pinpoint",
    "com.amazonaws.ap-northeast-1.pinpoint-sms-voice-v2",
    "com.amazonaws.ap-northeast-1.polly",
    "com.amazonaws.ap-northeast-1.profile",
    "com.amazonaws.ap-northeast-1.proton",
    "com.amazonaws.ap-northeast-1.qldb.session",
    "com.amazonaws.ap-northeast-1.rds",
    "com.amazonaws.ap-northeast-1.rds-data",
    "com.amazonaws.ap-northeast-1.redshift",
    "com.amazonaws.ap-northeast-1.redshift-data",
    "com.amazonaws.ap-northeast-1.refactor-spaces",
    "com.amazonaws.ap-northeast-1.rekognition",
    "com.amazonaws.ap-northeast-1.robomaker",
    "com.amazonaws.ap-northeast-1.rolesanywhere",
    "com.amazonaws.ap-northeast-1.rum",
    "com.amazonaws.ap-northeast-1.rum-dataplane",
    "com.amazonaws.ap-northeast-1.runtime-v2-lex",
    "com.amazonaws.ap-northeast-1.s3",
    "com.amazonaws.ap-northeast-1.s3-outposts",
    "com.amazonaws.ap-northeast-1.sagemaker.api",
    "com.amazonaws.ap-northeast-1.sagemaker.featurestore-runtime",
    "com.amazonaws.ap-northeast-1.sagemaker.metrics",
    "com.amazonaws.ap-northeast-1.sagemaker.runtime",
    "com.amazonaws.ap-northeast-1.secretsmanager",
    "com.amazonaws.ap-northeast-1.securityhub",
    "com.amazonaws.ap-northeast-1.servicecatalog",
    "com.amazonaws.ap-northeast-1.servicecatalog-appregistry",
    "com.amazonaws.ap-northeast-1.servicediscovery",
    "com.amazonaws.ap-northeast-1.simspaceweaver",
    "com.amazonaws.ap-northeast-1.sns",
    "com.amazonaws.ap-northeast-1.sqs",
    "com.amazonaws.ap-northeast-1.ssm",
    "com.amazonaws.ap-northeast-1.ssm-contacts",
    "com.amazonaws.ap-northeast-1.ssm-incidents",
    "com.amazonaws.ap-northeast-1.ssmmessages",
    "com.amazonaws.ap-northeast-1.states",
    "com.amazonaws.ap-northeast-1.storagegateway",
    "com.amazonaws.ap-northeast-1.streaming-rekognition",
    "com.amazonaws.ap-northeast-1.sts",
    "com.amazonaws.ap-northeast-1.swf",
    "com.amazonaws.ap-northeast-1.sync-states",
    "com.amazonaws.ap-northeast-1.synthetics",
    "com.amazonaws.ap-northeast-1.transcribe",
    "com.amazonaws.ap-northeast-1.transcribestreaming",
    "com.amazonaws.ap-northeast-1.transfer",
    "com.amazonaws.ap-northeast-1.transfer.server",
    "com.amazonaws.ap-northeast-1.translate",
    "com.amazonaws.ap-northeast-1.verifiedpermissions",
    "com.amazonaws.ap-northeast-1.voiceid",
    "com.amazonaws.ap-northeast-1.vpc-lattice",
    "com.amazonaws.ap-northeast-1.wisdom",
    "com.amazonaws.ap-northeast-1.workspaces",
    "com.amazonaws.ap-northeast-1.xray",
    "com.amazonaws.s3-global.accesspoint"
]

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Gateway Name=owner,Values=amazon --query ServiceNames 
[
    "com.amazonaws.ap-northeast-1.dynamodb",
    "com.amazonaws.ap-northeast-1.s3"
]

P.S.

S3 supports both Interface endpoint and Gateway endpoint, and their comparisons are described in this page. Gateway endpoints have an advantage that they will not incur charge, but they also have disadvantages that cross-region access or access from on-premises is not supported.

profile picture
HS
answered 6 months ago
  • Thanks for your comprehensive answer HS!

    Really helpful to see the commands and the lists. I also didn't know that Gateway endpoints don't incur a charge. I will read through the page you linked.

    For simplicity though I might just use interface endpoints for both.

1

If in same region then use gateway. For sns ensure you create the sns endpoint. Also running ecs you’ll need dkr endpoint etc.

ECS will need access to S3 also to download the images if using ECR.

It may be cheaper just to run a NAT gateway

profile picture
EXPERT
answered 6 months ago
  • Hello Gary, thank you for your answer.

    Everything is in the same region for me eu-west-2. I do have an NAT gateway associated with my private subnet as my monolith also needs to talk to a service that is outside the AWS cloud.

    I thought the advantage of the VPC endpoint however is that it means that traffic doesn't traverse the public internet when going to an AWS service like S3. However with the NAT gateway it does traverse the public internet. Please correct me if I'm wrong.

  • You are correct. Though i don’t work for amazon so im unsure how far the traffic gets before it stays internal before it hits the API end points.

1

Hi,

This article compares VPC endpoint vs interface in extensive details: https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Have a special look at summary chart toward the end.

Best,

Didier

profile pictureAWS
EXPERT
answered 6 months ago
  • This is a very helpful article.

    Thanks Didier!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions