DynamoDB with VPC Endpoints

• By default, communications to and from DynamoDB use the HTTPS protocol, which protects network traffic by using SSL/TLS encryption.
• A VPC endpoint for DynamoDB enables EC2 instances in the VPC to use their private IP addresses to access DynamoDB with no exposure to the public internet.
• Traffic between the VPC and the AWS service does not leave the Amazon network.
• EC2 instances do not require public IP addresses, an internet gateway, a NAT device, or a virtual private gateway in the VPC.

• VPC endpoint for DynamoDB routes any requests to a DynamoDB endpoint within the Region to a private DynamoDB endpoint within the Amazon network.
• Applications running on EC2 instances in the VPC don’t need to be modified.
• Endpoint name remains the same, but the route to DynamoDB stays entirely within the Amazon network and does not access the public internet.
• VPC Endpoint Policies to control access to DynamoDB.

Types of VPC Endpoints for DynamoDB

• DynamoDB supports two types of VPC endpoints: Gateway Endpoints and Interface Endpoints (using AWS PrivateLink).
• Both types keep network traffic on the AWS network.
• Gateway endpoints and interface endpoints can be used together in the same VPC.

Gateway Endpoints

• A gateway endpoint is specified in the route table to access DynamoDB from the VPC over the AWS network.
• Use DynamoDB public IP addresses.
• Do not allow access from on-premises networks.
• Do not allow access from another AWS Region.
• Not billed – Gateway endpoints are free of charge.
• Available only in the Region where created.
• Supported for both DynamoDB tables and DynamoDB Streams.

Interface Endpoints (AWS PrivateLink)

• Announced in March 2024, DynamoDB now supports AWS PrivateLink for interface endpoints.
• Use private IP addresses from the VPC to route requests to DynamoDB.
• Represented by one or more elastic network interfaces (ENIs) with private IP addresses.
• Allow access from on-premises networks via AWS Direct Connect or Site-to-Site VPN.
• Allow cross-region access from another VPC using VPC peering or AWS Transit Gateway.
• Billed – Interface endpoints incur hourly charges and data processing charges.
• Support up to 50,000 requests per second per endpoint.
• Compatible with existing gateway endpoints in the same VPC.
• Enable simplified private network connectivity from on-premises workloads to DynamoDB.

Choosing Between Gateway and Interface Endpoints

• Use Gateway Endpoints when:
  • Access is only needed from within the VPC.
  • Cost optimization is a priority (gateway endpoints are free).
  • Simple VPC-only connectivity is sufficient.
• Use Interface Endpoints when:
  • Access is needed from on-premises networks via Direct Connect or VPN.
  • Cross-region access is required via VPC peering or Transit Gateway.
  • Private IP addressing is required for compliance or security policies.
  • Integration with AWS Management Console Private Access is needed.
• Use Both Together when:
  • In-VPC applications can use the free gateway endpoint.
  • On-premises applications use interface endpoints for private connectivity.
  • This approach optimizes costs while enabling hybrid connectivity.

DynamoDB Streams with AWS PrivateLink

• Announced in March 2025, DynamoDB Streams now supports AWS PrivateLink.
• Allows invoking DynamoDB Streams APIs from within the VPC without traversing the public internet.
• Only interface endpoints are supported for DynamoDB Streams – gateway endpoints are not supported.
• Enables private connectivity for stream processing applications running on-premises or in other regions.
• Supports FIPS endpoints in US and Canada commercial AWS Regions (announced November 2025).
• To use DynamoDB console with AWS Management Console Private Access, create VPC endpoints for both:
  • com.amazonaws.<region>.dynamodb
  • com.amazonaws.<region>.dynamodb-streams

DynamoDB Accelerator (DAX) with AWS PrivateLink

• Announced in October 2025, DAX now supports AWS PrivateLink.
• Enables secure access to DAX management APIs (CreateCluster, DescribeClusters, DeleteCluster) over private IP addresses within the VPC.
• Customers can access DAX using private DNS names.
• Provides private connectivity for DAX cluster management operations.

IPv6 Support

• Announced in October 2025, DynamoDB now supports Internet Protocol version 6 (IPv6).
• IPv6 addresses can be used in VPCs when connecting to:
  • DynamoDB tables
  • DynamoDB Streams
  • DynamoDB Accelerator (DAX)
• IPv6 support includes both AWS PrivateLink Gateway and Interface endpoints.
• DAX supports IPv6 addressing with IPv4-only, IPv6-only, or dual-stack networking modes.
• Available in all commercial AWS Regions and AWS GovCloud (US) Regions.

VPC Endpoint Policies

• Endpoint policies can be attached to VPC endpoints to control access to DynamoDB.
• Policies specify:
  • IAM principals that can perform actions
  • Actions that can be performed
  • Resources on which actions can be performed
• Can restrict access to specific DynamoDB tables from a VPC endpoint.
• Useful for implementing least-privilege access controls.

Considerations and Limitations

• AWS PrivateLink for DynamoDB does not support:
  • Transport Layer Security (TLS) 1.1
  • Private and Hybrid Domain Name System (DNS) services
• Network connectivity timeouts to AWS PrivateLink endpoints need to be handled by applications.
• Interface endpoints support up to 50,000 requests per second per endpoint.
• When using both gateway and interface endpoints together, applications must use endpoint-specific DNS names to route traffic through interface endpoints.

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. What are the services supported by VPC endpoints, using the Gateway endpoint type?
   1. Amazon EFS
   2. Amazon DynamoDB
   3. Amazon Glacier
   4. Amazon SQS
2. A business application is hosted on Amazon EC2 and uses Amazon DynamoDB for its storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet. Which capability should the solutions architect use to meet the compliance requirements?
   1. AWS Key Management Service (AWS KMS)
   2. VPC endpoint
   3. Private subnet
   4. Virtual private gateway
3. A company runs an application in the AWS Cloud and uses Amazon DynamoDB as the database. The company deploys Amazon EC2 instances to a private network to process data from the database. The company uses two NAT instances to provide connectivity to DynamoDB.
   The company wants to retire the NAT instances. A solutions architect must implement a solution that provides connectivity to DynamoDB and that does not require ongoing management. What is the MOST cost-effective solution that meets these requirements?
   1. Create a gateway VPC endpoint to provide connectivity to DynamoDB.
   2. Configure a managed NAT gateway to provide connectivity to DynamoDB.
   3. Establish an AWS Direct Connect connection between the private network and DynamoDB.
   4. Deploy an AWS PrivateLink endpoint service between the private network and DynamoDB.
4. A company has an on-premises data center connected to AWS via AWS Direct Connect. The company needs to access DynamoDB tables from on-premises applications without traversing the public internet. What is the BEST solution?
   1. Create a gateway VPC endpoint for DynamoDB.
   2. Create an interface VPC endpoint (AWS PrivateLink) for DynamoDB.
   3. Configure a NAT gateway in the VPC.
   4. Use an internet gateway with security groups.
5. A solutions architect needs to enable private connectivity to DynamoDB Streams for a stream processing application. Which VPC endpoint type should be used?
   1. Gateway endpoint only
   2. Interface endpoint only
   3. Either gateway or interface endpoint
   4. Both gateway and interface endpoints together
6. A company wants to minimize costs for accessing DynamoDB from EC2 instances within the same VPC while maintaining private connectivity. What should they implement?
   1. Interface VPC endpoint
   2. Gateway VPC endpoint
   3. NAT gateway
   4. Internet gateway with security groups
7. Which of the following are true about DynamoDB interface endpoints? (Select TWO)
   1. They support access from on-premises networks via Direct Connect or VPN.
   2. They are free of charge.
   3. They use private IP addresses from the VPC.
   4. They cannot be used with gateway endpoints in the same VPC.
   5. They support unlimited requests per second.

References

• Using Amazon VPC endpoints to access DynamoDB
• AWS PrivateLink for DynamoDB
• Gateway endpoints for Amazon DynamoDB
• Simplify private connectivity to Amazon DynamoDB with AWS PrivateLink
• AWS PrivateLink for DynamoDB Streams
• Using AWS PrivateLink for DynamoDB Accelerator (DAX)
• Amazon DynamoDB now supports IPv6