This architecture might give you a better understanding and the use of interface endpoint - https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html
In short, interface endpoints allows you to establish secure communication between AWS services deployed in different VPCs (same account, different account in the same org, a third party marketplace account, etc) by routing all traffic through AWS private backbone network (and not public internet).
If you create an interface endpoint for EC2, this would allow your other services to interact with EC2 using the private network of AWS.
If all your EC2 instances are in the same vpc or in peered vpc's you do not need the private link/interface endpoint for them.
You would not directly use the ENI, rather it is used under the hood. The private IP of these ENIs will act as an entrypoint for you to interact with the service (in a different vpc or account) for which you created the interface endpoint.
You could watch these to get a better understanding - https://www.youtube.com/watch?v=caJ7zh9qzmw
https://www.youtube.com/watch?v=LNf8jjBt72Y (1:45 to 7:55 - in particular)
https://www.youtube.com/watch?v=LNf8jjBt72Y (20:00 to 38:00 - in particular) --> worth watching the entire video.
Interface endpoints for AWS services are all about contacting that service's API. Just to be clear for an EC2 interface endpoint in your VPC, it's nothing to do with traffic that your EC2 instance is processing, it's about calls that are made from within your VPC to the EC2 service, i.e. API calls as described at https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Welcome.html.
Calls to the EC2 API normally go to its public endpoint as defined by its DNS name. When you create an interface endpoint, by default an AWS-managed Private Hosted Zone (PHZ) is created for your VPC which overrides resolution of that specific DNS name so it points to the private IP of the ENI for the interface endpoint.
If you have multiple VPCs it's best to share your interface endpoints among them, otherwise at 1c/hr each it can get very expensive once you have interface endpoints for many services across many VPCs. See this article for details.
- Accepted AnswerEXPERTasked 5 years ago
- Accepted Answerasked a year ago
- Accepted Answerasked 5 months ago
- Accepted Answerasked 2 years ago
- Why can't I see my VPC endpoint service in the verified services list when I'm creating an interface VPC endpoint?AWS OFFICIALUpdated 2 years ago
- I received a conflicting DNS domain error while creating an interface VPC endpoint. How can I fix this?AWS OFFICIALUpdated 2 years ago
- How do I check if my Amazon S3 traffic is going through a gateway VPC endpoint or an interface VPC endpoint?AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago
- EXPERTpublished a year ago