VPC Endpoints Overview
- VPC endpoint enables creation of a private connection between your VPC and another AWS service using its private IP address
- VPC Endpoint does not require a public IP address, access over the Internet, NAT device, a VPN connection or AWS Direct Connect
- Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
- Traffic between VPC and AWS service does not leave the Amazon network
- Endpoints currently do not support cross-region requests, ensure that the endpoint is created in the same region as your bucket
- AWS currently supports endpoints for S3 service only (Update – With latest enhancement DynamoDB is also supported)
Configuration
- Endpoint requires the VPC and the service to be accessed via the endpoint
- Endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
- A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id. for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
- Access to the resources in other services can be controlled by endpoint policies
- Security groups needs to be modified to allow Outbound traffic from the VPC to the service thats specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
- Multiple endpoint routes to different services can be specified in a route table, and multiple endpoint routes to the same service can be specified in different route tables, but you cannot have multiple endpoints to the same service in a single route table
Limitations
- Endpoint cannot be created between a VPC and an AWS service in a different region.
- Endpoint cannot be tagged
- Endpoint cannot be transferred from one VPC to another, or from one service to another
- Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint
References
AWS_VPC_User_Guide_-_Endpoints
AWS currently supports end points for both S3 and DynamoDB as well. Please correct it.
Thanks Pradeep seems a latest enhancement, will check and add the same.
wow quick response. thank you.
AWS currently supports endpoints for S3 service only
>New update: DynamoDB
Thanks doanda86, yup there has been an update from AWS sometime back. Update the same.
Jayendra, It appears the link to the document at the end is broken/outdated. It looks like this link takes you to the intended location: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
Thanks for the good info.
thanks Dave, it seems like Amazon Affiliate script is breaking the docs link. Let me check further.