Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
private link access DynamoDB
I know on-prem can access DynamoDB via interface endpoint instead of via internet. Can I install an interface endpoint on a transitive VPC for another VPC to access DynamoDB without via the public network ?
Possible to do this ?
- Newest
- Most votes
- Most comments
Hello.
As described in the following document, if you connect VPCs using a TransitGateway or similar, you should be able to access DynamoDB using an Interface-type VPC endpoint located in a different VPC.
So, I think the configuration you're considering is feasible.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/privately-access-a-central-aws-service-endpoint-from-multiple-vpcs.html
Yes you can do that by why?
DynamoDB also offers Gateway Endpoints which are free of charge (you still pay for requests, just not for the endpoint itself) but are only accessible from within the VPC in which they are created. Why not put a Gateway Endpoint in each VPC?
With the solution you're suggesting you're going to pay for traffic across the Transit Gateway to the Interface Endpoint in the other VPC.
I got the interface endpoint working in VPC1. [ec2-user@ip-10-10-1-220 ~]$ aws s3 ls --endpoint-url https://bucket.vpce-0e4661e7505bfbcd3-6hx2vpfh.s3.us-west-2.vpce.amazonaws.com 2025-05-08 03:02:32 gyu-demo-bucket9906
How can I direct the traffic to S3 from VPC2 ? Where can I find some documentation for this purpose ?
thanks !!
Your question was about dynamodb not s3?
From VPC2, can you use the following to test ? aws s3 ls s3://gyu-demo-bucket99069906.demo-s3.gyu-demo.aws
demo-s3.gyu-demo.aws is already configured in R53 private hosted zone which is attached to VPC1 and VPC2, the resolution works [ec2-user@ip-10-20-1-106 ~]$ ping demo-s3.gyu-demo.aws PING demo-s3.gyu-demo.aws (10.10.1.168) 56(84) bytes of data.
To route from VPC2 to the VPC endpoint of VPC1, you need to configure the route table so that it can route from VPC2 to VPC1.
Also, if you configure it so that when name resolution of the DynamoDB service endpoint is performed in the Route53 private hosted zone, it can resolve to the IP address of the VPC endpoint, allowing you to use the interface VPC endpoint of VPC1 from VPC2.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-vpc-interface-endpoint.html
However, as Brettski-AWS explains, DynamoDB and S3 have gateway VPC endpoints, so it may be better to set these up in each VPC, as this will reduce costs.
thanks so much !!
I tested using S3, but my customer needs DynamoDB which I am not good at. So I use S3 to test. thanks a lot !!
Anyone has any comments on the following mentioned above ?
For the scenario in your diagram:
VPC A should have its own interface endpoint for DynamoDB if it needs private access.
VPC B should also have its own interface endpoint for DynamoDB if it needs private access.
You cannot install an interface endpoint in VPC B and have VPC A use it to access DynamoDB. Each VPC needs its own endpoint.
How can I test S3 from VPC2 via the interface endpoint in VPC1? From VPC1, I have the following [ec2-user@ip-10-10-1-18 ~]$ aws s3 ls --endpoint-url https://bucket.vpce-0e8c75beb622a813c-ktriob19-us-west-2a.s3.us-west-2.vpce.amazonaws.com s3://gyu-demo-bucket99069906/ 2025-05-08 15:43:54 75 index.html
From VPC2, I tested R53 private hosted zone [ec2-user@ip-10-20-1-106 ~]$ ping demo-s3.gyu-demo.aws PING demo-s3.gyu-demo.aws (10.10.1.168) 56(84) bytes of data.
Should I test S3 access as follows: [ec2-user@ip-10-20-1-106 ~]$ aws s3 ls s3://gyu-demo-bucket99069906.demo-s3.gyu-demo.aws
thanks a lot !!
I found a couple of videos from youtube. They show how do it.
thanks a lot for all your insights !!
While it's possible to use AWS PrivateLink for DynamoDB to enable private access from on-premises environments, the scenario you've described with a transitive VPC is not a typical or recommended setup for DynamoDB access.
Interface endpoints for DynamoDB are designed to be used within the VPC where your resources need to access DynamoDB. They don't work as transit gateways or proxies for other VPCs. Each VPC that needs to access DynamoDB privately should have its own interface endpoint.
For the scenario in your diagram:
- VPC A should have its own interface endpoint for DynamoDB if it needs private access.
- VPC B should also have its own interface endpoint for DynamoDB if it needs private access.
You cannot install an interface endpoint in VPC B and have VPC A use it to access DynamoDB. Each VPC needs its own endpoint.
It's worth noting that for resources within AWS (like EC2 instances in your VPCs), it's often more cost-effective and simpler to use a gateway endpoint for DynamoDB instead of an interface endpoint. Gateway endpoints are free and provide private access to DynamoDB from within a VPC without using the public internet.
If you need to connect multiple VPCs for DynamoDB access, you might want to consider using AWS Transit Gateway or VPC peering to connect the VPCs, and then set up the appropriate endpoints in each VPC as needed.
Remember, the primary use case for interface endpoints with DynamoDB is to provide private access from on-premises environments or from other AWS Regions, not for routing between VPCs within AWS.
Sources
Simplify private connectivity to Amazon DynamoDB with AWS PrivateLink | AWS Database Blog
AWS PrivateLink for DynamoDB - Amazon DynamoDB
Amazon DynamoDB now supports AWS PrivateLink
Relevant content
- asked 2 years ago
As Gateway Endpoint is only for the consumer in the same VPC as the gateway endpoint is located. My consumer is located on another VPC. So I have to use interface endpoint. Am I right ?
You just create a gateway endpoint in the consumer VPC. The gateway isn’t tied to the dynamodb instance.