VPC Endpoints Overview
- VPC endpoint enables creation of a private connection between your VPC and another AWS service using its private IP address
- VPC Endpoint does not require a public IP address, access over the Internet, NAT device, a VPN connection or AWS Direct Connect
- Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
- Traffic between VPC and AWS service does not leave the Amazon network.
- Endpoints currently do not support cross-region requests, ensure that the endpoint is created in the same region as your bucket
- AWS currently supports endpoints for S3 service only
- Endpoint requires the VPC and the service to be accessed via the endpoint
- Endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
- A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id. for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
- Access to the resources in other services can be controlled by endpoint policies
- Security groups needs to be modified to allow Outbound traffic from the VPC to the service thats specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
- Multiple endpoint routes to different services can be specified in a route table, and multiple endpoint routes to the same service can be specified in different route tables, but you cannot have multiple endpoints to the same service in a single route table
- Endpoint cannot be created between a VPC and an AWS service in a different region.
- Endpoint cannot be tagged
- Endpoint cannot be transferred from one VPC to another, or from one service to another
- Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint