Amazon EC2 using an interface VPC endpoint


I am reading through this article however little confused with the Benefit of EC2 interface Endpoint - is that for traffic which terminates to EC2 from other AWS services (SNS, RDS etc) or is it for traffic from other services to EC2? do we need it if my EC2 instances are not communicating with other AWS services except other EC2 machines ? when you create a EC2 endpoint it creates a ENI in the selected subnet - what will be the use case - how will I utilize that ENI ?

2 Answers

This architecture might give you a better understanding and the use of interface endpoint -

In short, interface endpoints allows you to establish secure communication between AWS services deployed in different VPCs (same account, different account in the same org, a third party marketplace account, etc) by routing all traffic through AWS private backbone network (and not public internet).

If you create an interface endpoint for EC2, this would allow your other services to interact with EC2 using the private network of AWS.

If all your EC2 instances are in the same vpc or in peered vpc's you do not need the private link/interface endpoint for them.

You would not directly use the ENI, rather it is used under the hood. The private IP of these ENIs will act as an entrypoint for you to interact with the service (in a different vpc or account) for which you created the interface endpoint.

You could watch these to get a better understanding - (1:45 to 7:55 - in particular) (20:00 to 38:00 - in particular) --> worth watching the entire video.

profile pictureAWS
answered 2 years ago

Interface endpoints for AWS services are all about contacting that service's API. Just to be clear for an EC2 interface endpoint in your VPC, it's nothing to do with traffic that your EC2 instance is processing, it's about calls that are made from within your VPC to the EC2 service, i.e. API calls as described at

Calls to the EC2 API normally go to its public endpoint as defined by its DNS name. When you create an interface endpoint, by default an AWS-managed Private Hosted Zone (PHZ) is created for your VPC which overrides resolution of that specific DNS name so it points to the private IP of the ENI for the interface endpoint.

If you have multiple VPCs it's best to share your interface endpoints among them, otherwise at 1c/hr each it can get very expensive once you have interface endpoints for many services across many VPCs. See this article for details.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions