3 Answers
- Newest
- Most votes
- Most comments
1
The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.
But I'm not sure what the advantages/disadvantages of using one or the other is.
This is because some AWS services support Interface endpoint and others support Gateway endpoint. Use the one which your target service supports.
Here are the commands to check which services support Interface endpoint, and which support Gateway endpoint.
$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --query ServiceNames [ "aws.api.ap-northeast-1.kendra-ranking", "aws.sagemaker.ap-northeast-1.notebook", "aws.sagemaker.ap-northeast-1.studio", "com.amazonaws.ap-northeast-1.access-analyzer", "com.amazonaws.ap-northeast-1.acm-pca", "com.amazonaws.ap-northeast-1.airflow.api", "com.amazonaws.ap-northeast-1.airflow.env", "com.amazonaws.ap-northeast-1.airflow.ops", "com.amazonaws.ap-northeast-1.app-integrations", "com.amazonaws.ap-northeast-1.application-autoscaling", "com.amazonaws.ap-northeast-1.appmesh", "com.amazonaws.ap-northeast-1.appmesh-envoy-management", "com.amazonaws.ap-northeast-1.apprunner", "com.amazonaws.ap-northeast-1.apprunner.requests", "com.amazonaws.ap-northeast-1.appstream.api", "com.amazonaws.ap-northeast-1.appstream.streaming", "com.amazonaws.ap-northeast-1.appsync-api", "com.amazonaws.ap-northeast-1.aps", "com.amazonaws.ap-northeast-1.aps-workspaces", "com.amazonaws.ap-northeast-1.athena", "com.amazonaws.ap-northeast-1.auditmanager", "com.amazonaws.ap-northeast-1.autoscaling", "com.amazonaws.ap-northeast-1.autoscaling-plans", "com.amazonaws.ap-northeast-1.awsconnector", "com.amazonaws.ap-northeast-1.backup", "com.amazonaws.ap-northeast-1.backup-gateway", "com.amazonaws.ap-northeast-1.batch", "com.amazonaws.ap-northeast-1.cassandra", "com.amazonaws.ap-northeast-1.cleanrooms", "com.amazonaws.ap-northeast-1.cloudcontrolapi", "com.amazonaws.ap-northeast-1.cloudformation", "com.amazonaws.ap-northeast-1.cloudhsmv2", "com.amazonaws.ap-northeast-1.cloudtrail", "com.amazonaws.ap-northeast-1.codeartifact.api", "com.amazonaws.ap-northeast-1.codeartifact.repositories", "com.amazonaws.ap-northeast-1.codebuild", "com.amazonaws.ap-northeast-1.codecommit", "com.amazonaws.ap-northeast-1.codedeploy", "com.amazonaws.ap-northeast-1.codedeploy-commands-secure", "com.amazonaws.ap-northeast-1.codeguru-profiler", "com.amazonaws.ap-northeast-1.codeguru-reviewer", "com.amazonaws.ap-northeast-1.codepipeline", "com.amazonaws.ap-northeast-1.codestar-connections.api", "com.amazonaws.ap-northeast-1.comprehend", "com.amazonaws.ap-northeast-1.config", "com.amazonaws.ap-northeast-1.data-servicediscovery", "com.amazonaws.ap-northeast-1.databrew", "com.amazonaws.ap-northeast-1.dataexchange", "com.amazonaws.ap-northeast-1.datasync", "com.amazonaws.ap-northeast-1.deviceadvisor.iot", "com.amazonaws.ap-northeast-1.devops-guru", "com.amazonaws.ap-northeast-1.dms", "com.amazonaws.ap-northeast-1.drs", "com.amazonaws.ap-northeast-1.ebs", "com.amazonaws.ap-northeast-1.ec2", "com.amazonaws.ap-northeast-1.ec2messages", "com.amazonaws.ap-northeast-1.ecr.api", "com.amazonaws.ap-northeast-1.ecr.dkr", "com.amazonaws.ap-northeast-1.ecs", "com.amazonaws.ap-northeast-1.ecs-agent", "com.amazonaws.ap-northeast-1.ecs-telemetry", "com.amazonaws.ap-northeast-1.eks", "com.amazonaws.ap-northeast-1.elastic-inference.runtime", "com.amazonaws.ap-northeast-1.elasticache", "com.amazonaws.ap-northeast-1.elasticbeanstalk", "com.amazonaws.ap-northeast-1.elasticbeanstalk-health", "com.amazonaws.ap-northeast-1.elasticfilesystem", "com.amazonaws.ap-northeast-1.elasticfilesystem-fips", "com.amazonaws.ap-northeast-1.elasticloadbalancing", "com.amazonaws.ap-northeast-1.elasticmapreduce", "com.amazonaws.ap-northeast-1.email-smtp", "com.amazonaws.ap-northeast-1.emr-containers", "com.amazonaws.ap-northeast-1.emr-serverless", "com.amazonaws.ap-northeast-1.events", "com.amazonaws.ap-northeast-1.evidently", "com.amazonaws.ap-northeast-1.evidently-dataplane", "com.amazonaws.ap-northeast-1.execute-api", "com.amazonaws.ap-northeast-1.fis", "com.amazonaws.ap-northeast-1.forecast", "com.amazonaws.ap-northeast-1.forecastquery", "com.amazonaws.ap-northeast-1.fsx", "com.amazonaws.ap-northeast-1.git-codecommit", "com.amazonaws.ap-northeast-1.glue", "com.amazonaws.ap-northeast-1.grafana", "com.amazonaws.ap-northeast-1.grafana-workspace", "com.amazonaws.ap-northeast-1.greengrass", "com.amazonaws.ap-northeast-1.guardduty-data", "com.amazonaws.ap-northeast-1.identitystore", "com.amazonaws.ap-northeast-1.imagebuilder", "com.amazonaws.ap-northeast-1.inspector2", "com.amazonaws.ap-northeast-1.iot.data", "com.amazonaws.ap-northeast-1.iot.fleethub.api", "com.amazonaws.ap-northeast-1.iotsitewise.api", "com.amazonaws.ap-northeast-1.iotsitewise.data", "com.amazonaws.ap-northeast-1.iotwireless.api", "com.amazonaws.ap-northeast-1.kendra", "com.amazonaws.ap-northeast-1.kinesis-firehose", "com.amazonaws.ap-northeast-1.kinesis-streams", "com.amazonaws.ap-northeast-1.kms", "com.amazonaws.ap-northeast-1.kms-fips", "com.amazonaws.ap-northeast-1.lakeformation", "com.amazonaws.ap-northeast-1.lambda", "com.amazonaws.ap-northeast-1.license-manager", "com.amazonaws.ap-northeast-1.license-manager-user-subscriptions", "com.amazonaws.ap-northeast-1.logs", "com.amazonaws.ap-northeast-1.lookoutmetrics", "com.amazonaws.ap-northeast-1.lookoutvision", "com.amazonaws.ap-northeast-1.lorawan.cups", "com.amazonaws.ap-northeast-1.lorawan.lns", "com.amazonaws.ap-northeast-1.m2", "com.amazonaws.ap-northeast-1.macie2", "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.mainnet", "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.testnet", "com.amazonaws.ap-northeast-1.mediaconnect", "com.amazonaws.ap-northeast-1.memory-db", "com.amazonaws.ap-northeast-1.mgn", "com.amazonaws.ap-northeast-1.migrationhub-orchestrator", "com.amazonaws.ap-northeast-1.migrationhub-strategy", "com.amazonaws.ap-northeast-1.models-v2-lex", "com.amazonaws.ap-northeast-1.monitoring", "com.amazonaws.ap-northeast-1.nimble", "com.amazonaws.ap-northeast-1.pca-connector-ad", "com.amazonaws.ap-northeast-1.personalize", "com.amazonaws.ap-northeast-1.personalize-events", "com.amazonaws.ap-northeast-1.personalize-runtime", "com.amazonaws.ap-northeast-1.pinpoint", "com.amazonaws.ap-northeast-1.pinpoint-sms-voice-v2", "com.amazonaws.ap-northeast-1.polly", "com.amazonaws.ap-northeast-1.profile", "com.amazonaws.ap-northeast-1.proton", "com.amazonaws.ap-northeast-1.qldb.session", "com.amazonaws.ap-northeast-1.rds", "com.amazonaws.ap-northeast-1.rds-data", "com.amazonaws.ap-northeast-1.redshift", "com.amazonaws.ap-northeast-1.redshift-data", "com.amazonaws.ap-northeast-1.refactor-spaces", "com.amazonaws.ap-northeast-1.rekognition", "com.amazonaws.ap-northeast-1.robomaker", "com.amazonaws.ap-northeast-1.rolesanywhere", "com.amazonaws.ap-northeast-1.rum", "com.amazonaws.ap-northeast-1.rum-dataplane", "com.amazonaws.ap-northeast-1.runtime-v2-lex", "com.amazonaws.ap-northeast-1.s3", "com.amazonaws.ap-northeast-1.s3-outposts", "com.amazonaws.ap-northeast-1.sagemaker.api", "com.amazonaws.ap-northeast-1.sagemaker.featurestore-runtime", "com.amazonaws.ap-northeast-1.sagemaker.metrics", "com.amazonaws.ap-northeast-1.sagemaker.runtime", "com.amazonaws.ap-northeast-1.secretsmanager", "com.amazonaws.ap-northeast-1.securityhub", "com.amazonaws.ap-northeast-1.servicecatalog", "com.amazonaws.ap-northeast-1.servicecatalog-appregistry", "com.amazonaws.ap-northeast-1.servicediscovery", "com.amazonaws.ap-northeast-1.simspaceweaver", "com.amazonaws.ap-northeast-1.sns", "com.amazonaws.ap-northeast-1.sqs", "com.amazonaws.ap-northeast-1.ssm", "com.amazonaws.ap-northeast-1.ssm-contacts", "com.amazonaws.ap-northeast-1.ssm-incidents", "com.amazonaws.ap-northeast-1.ssmmessages", "com.amazonaws.ap-northeast-1.states", "com.amazonaws.ap-northeast-1.storagegateway", "com.amazonaws.ap-northeast-1.streaming-rekognition", "com.amazonaws.ap-northeast-1.sts", "com.amazonaws.ap-northeast-1.swf", "com.amazonaws.ap-northeast-1.sync-states", "com.amazonaws.ap-northeast-1.synthetics", "com.amazonaws.ap-northeast-1.transcribe", "com.amazonaws.ap-northeast-1.transcribestreaming", "com.amazonaws.ap-northeast-1.transfer", "com.amazonaws.ap-northeast-1.transfer.server", "com.amazonaws.ap-northeast-1.translate", "com.amazonaws.ap-northeast-1.verifiedpermissions", "com.amazonaws.ap-northeast-1.voiceid", "com.amazonaws.ap-northeast-1.vpc-lattice", "com.amazonaws.ap-northeast-1.wisdom", "com.amazonaws.ap-northeast-1.workspaces", "com.amazonaws.ap-northeast-1.xray", "com.amazonaws.s3-global.accesspoint" ] $ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Gateway Name=owner,Values=amazon --query ServiceNames [ "com.amazonaws.ap-northeast-1.dynamodb", "com.amazonaws.ap-northeast-1.s3" ]
P.S.
S3 supports both Interface endpoint and Gateway endpoint, and their comparisons are described in this page. Gateway endpoints have an advantage that they will not incur charge, but they also have disadvantages that cross-region access or access from on-premises is not supported.
answered 7 months ago
1
If in same region then use gateway. For sns ensure you create the sns endpoint. Also running ecs you’ll need dkr endpoint etc.
ECS will need access to S3 also to download the images if using ECR.
It may be cheaper just to run a NAT gateway
Hello Gary, thank you for your answer.
Everything is in the same region for me eu-west-2. I do have an NAT gateway associated with my private subnet as my monolith also needs to talk to a service that is outside the AWS cloud.
I thought the advantage of the VPC endpoint however is that it means that traffic doesn't traverse the public internet when going to an AWS service like S3. However with the NAT gateway it does traverse the public internet. Please correct me if I'm wrong.
You are correct. Though i don’t work for amazon so im unsure how far the traffic gets before it stays internal before it hits the API end points.
1
Hi,
This article compares VPC endpoint vs interface in extensive details: https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/
Have a special look at summary chart toward the end.
Best,
Didier
This is a very helpful article.
Thanks Didier!
Relevant content
- Accepted Answerasked 7 months ago
- Accepted Answerasked 2 months ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks for your comprehensive answer HS!
Really helpful to see the commands and the lists. I also didn't know that Gateway endpoints don't incur a charge. I will read through the page you linked.
For simplicity though I might just use interface endpoints for both.