- Newest
- Most votes
- Most comments
The first reason is that you can access the endpoints for AWS services without requiring a NAT Gateway and Internet Gateway. If you already have those things then endpoints may not be useful to you; but many customers have private VPCs with no access outside of their local network.
The second reason is that endpoints give you the ability to put endpoint policies in place that can further restrict access to services based on your security requirements.
Thirdly (and quite useful in most circumstances): S3 and DynamoDB Gateway Endpoints are free of charge and have no data transfer costs associated with them. So it makes sense (especially if you are transferring a large amount of data) to use them even if you do already have NAT Gateway and Internet Gateway in your VPC.
The caveat here is that all VPC endpoints can only deliver access to services in the same region as your VPC. If you are accessing AWS services in other regions, then either use NAT Gateway and Internet Gateway; or create a VPC in the require region; peer your VPCs together (or use peered Transit Gateways); and access the endpoints via the peering connections. Note that this is only available when using Interface Endpoints, not Gateway Endpoints.
Endpoints in VPCs offer several benefits:
-
Security: They enable private access to AWS services, bypassing the public internet and VPNs, thus eliminating the need for exposing ports or firewall rules.
-
Performance: Using endpoints ensures better performance and lower latency compared to other methods like internet gateways or VPN tunnels since traffic remains within the AWS network.
-
Availability: Endpoints enhance application availability by eliminating dependence on internet connectivity. Even if the internet connection fails, applications can still access AWS services via endpoints.
There are two main types of endpoints:
-
Interface Endpoints: Provide private connectivity to AWS services and future SaaS solutions through PrivateLink. Example:
interfacevpce-xxxxxxxx. -
Gateway Endpoints: Offer private connectivity to services like S3 and DynamoDB through route tables. Example:
vpce-xxxxxxxx.
Thanks. If I have both endpoints and nat-gw what exactly is used for routing?
You will keep having route tables where you specify the name of the endpoints as targets.
As I know only for the gateway endpoint, routing is created in the route table. for interface endpoints route is not added.
Interface endpoints allow you to access AWS services without traversing the internet. So you have better security and a more predictable connection as you remain within the AWS network. In addition they enable you to move some workloads to fully private subnets, i.e. ones that don't have even outbound internet. In some circumstances, especially if accessing internet services over IPv6, you might not even need NAT GWs as a result.
Relevant content
- asked 5 months ago
- Accepted Answerasked 7 months ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks. Does it provide lower latency?
I would think not. You're either going through NAT Gateway/Internet Gateway; or the endpoint. There might be the tiniest of difference (and some very extensive testing might show that up) but I would not say so.
Thanks. If I have both endpoints and nat-gw what exactly is used for routing?
It depends on the endpoint type and how your application does the lookup. Routing is routing - it's just IP source address lookup; so that's going to depend on what your VPC route tables look like. Which IP is the request going to? Do a lookup (
nslookupordig) on an EC2 instance and see what IP address gets returned. Then check the routing tables. That determines whether the endpoint or the NAT Gateway is being used.