VPC endpoint enables creation of a private connection between your VPC and another AWS service using its private IP address
VPC Endpoint does not require a public IP address, access over the Internet, NAT device, a VPN connection or AWS Direct Connect
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
Traffic between VPC and AWS service does not leave the Amazon network
Endpoints currently do not support cross-region requests, ensure that the endpoint is created in the same region as your bucket
AWS currently supports endpoints for S3 service only (Update – With latest enhancement DynamoDB is also supported)
Endpoint requires the VPC and the service to be accessed via the endpoint
Endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id. for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
Access to the resources in other services can be controlled by endpoint policies
Security groups needs to be modified to allow Outbound traffic from the VPC to the service thats specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
Multiple endpoint routes to different services can be specified in a route table, and multiple endpoint routes to the same service can be specified in different route tables, but you cannot have multiple endpoints to the same service in a single route table
Endpoint cannot be created between a VPC and an AWS service in a different region.
Endpoint cannot be tagged
Endpoint cannot be transferred from one VPC to another, or from one service to another
Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint