Difference between VPC Endpoints

0

What is the difference between gateway and interface endpoints? I know former is based on routing while later is based on ENI but I feel what's going behind the scenes is still the same for both cases. For gateway endpoints, I believe that particular ip's (in the way of prefix list) are routed to S3/dynamodb service. But before that shouldn't a dns resolution happen? So if I say "aws s3 ls", dns should provide a private IP (which would be one of the prefix list) and then can routing can happen. Isn't the concept still the same for interface endpoints? That is, a dns resolution to a private IP?

nishan
已提問 1 年前檢視次數 338 次
1 個回答
1

Yes, DNS resolution happens with both endpoints. You're correct in how you describe things.

For Gateway Endpoints you'll find that the DNS entry resolves to the public IP address for the S3 and DynamoDB services. The VPC then routes those IP addresses to the endpoint and you're connected with the services.

For Interface Endpoints (which are powered by PrivateLink) the DNS entry resolves to a private IP address that PrivateLink creates for the network interface in your VPC. Note that as per the documentation you need to have DNS hostnames and DNS resolution enabled in your VPC for this to work. Also, there is a specific name for the endpoint that can also be used - but in most cases it is far easier to use the "normal" (public) endpoint name because it requires no application changes.

profile pictureAWS
專家
已回答 1 年前
profile picture
專家
已審閱 1 年前
profile picture
專家
已審閱 1 年前
  • I have a couple of more questions:

    1. Both dnshostnames and dns resolution must be turned on for both interface and gateway endpoints to work. Right?
    2. Who is doing the dns resolution. I believe it would be amazon dns server, i.e. 169.254.169.253 along with vpc+2. If so, how can I leverage vpc endpoints if I want to use custom dns server
    1. Yes.
    2. The custom DNS server would need to forward requests for Amazon-owned DNS names to an Amazon-owned resolver (Route 53 in this case) which is the IP address you've listed. You can also set up a Route 53 Resolver.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南