27 thoughts on “AWS VPC Endpoints”

1. AWS currently supports end points for both S3 and DynamoDB as well. Please correct it.

   1. Thanks Pradeep seems a latest enhancement, will check and add the same.

      1. wow quick response. thank you.

2. AWS currently supports endpoints for S3 service only
   >New update: DynamoDB

   1. Thanks doanda86, yup there has been an update from AWS sometime back. Update the same.

3. Jayendra, It appears the link to the document at the end is broken/outdated. It looks like this link takes you to the intended location: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

   Thanks for the good info.

   1. thanks Dave, it seems like Amazon Affiliate script is breaking the docs link. Let me check further.

4. Jayendra , Request you to kindly help how can i prepare for AWS interview

   1. Hi Puneet, for interviews I usually recommend get your theory concepts right. Get your hands on using Free Tier, Qwiklabs, and Implement AWS projects. Also watch Re-Invent videos on architecture mainly.

5. We have our application on Singapore Region and want to use the SES Service (Closest Endpoint) in EU-Ireland.Apparently VPC Endpoint doesn’t supports Service in cross region. PrivateLink doesn’t look promising (no clarity whether it supports cross region AWS Service (SES) if though how the connectivity can be established between regions,using Direct Connect or VPN ? Any idea how this can be achieved

   1. Why not try an alternative for SES as a SaaS service instead ?

6. Hi Jayendra,

   Great blog. Always helped me in clearing the certifications.
   Noticed that we can tag the VPC endpoint now (https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html). Please update it.

   1. Thanks Surupa, will add the same.

7. For Question 5, how come (a) also is not correct. Aren’t the same number of servers exposed to internet in both (a) and (d). The only difference is that in (d) we using Endpoint

   The question is asking for least number of components exposed to internet. In both answers it is the 2 web servers.

   If you can please clarify why (d) picked over (a).

   Thanks in advance. Fantastic Blog!

   1. for Q5, B & D have web servers in public subnet and hence exposed. Between a and c, you don’t have DynamoDB in private subnet and you can limit you applications access to DynamoDB using VPC endpoint which is internal and does not go through internet

      1. Hi,
         Answer a) in question 5: “(…) two private subnets for RDS and DynamoDB”. I read it as those two private subnets are for both: RDS and DynamoDB. Therefore answers a) and c) would result in the same? Or am I missing something?

         Really nice job with this blog.

         1. DynamoDB does not need any subnets, so A and C are still different options with C being more correct.

8. Hi Jayendra

   Great Informative article. I have question about cross account capability for vpc endpoints. Use case I am looking for, is, I want to have private API connectivity to APIs hosted through APIGW in one account, and other ec2 instances in different accounts, but coming under same org.
   Can I have a vpc endpoint enabling private connectivity between vpc in Account A, to a service (APIGW) in Account B. Or what would be the typical approach here. It would be great to know your thoughts on this.

   1. You can expose the API as private Link @ https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html.

9. Hi Jayendra,
   Nice article. One thing that is not clear, consider the following scenario:

   Lets say I have a ECS service and a lambda running in a VPC. Both ECS service and lambda access SQS service and Postgres database in RDS. Everythings works. Now, I create a VPC endpoint for SQS. Do I need another VPC endpoint for my services to access RDS? I know the RDS traffic leaves the VPC but my question is will the services be able to access RDS as before?

   1. RDS does not need VPC endpoint. As Lambda is already in VPC, it can access RDS private endpoint directly.

10. Hi sir pls answer,

    A sysops administrator created an AWS Lambda function within a VPC with no access to the Internet. The Lambda function pulls messages from an Amazon SQS queue and stores them in an Amazon RDS instance in the same VPC. After executing the Lambda function, the data is not showing up on the RDS instance.Which of the following are possible causes for this? (Choose two.)
    * A. A VPC endpoint has not been created for Amazon RDS
    * B. A VPC endpoint has not been created for Amazon SQS
    * C. The RDS security group is not allowing connections from the Lambda function
    * D. The subnet associated with the Lambda function does not have an internet gateway attached
    * E. The subnet associated with the Lambda function has a NAT gateway.

    1. B & C. SQS needs VPC Interface Endpoint and RDS should allow connections from Lambda.

11. Q5 bothers me much – the correct answer has VPC Endpoint for DynamoDB, which is surely meeting the requirements of least traffic outside AWS.
    BUT… The question doesn’t ask for DynamoDB at all… Neither it does for S3 nor for any other AWS service that would need to use VPC Endpoint.
    The answer C is still the only correct answer, but it doesn’t really fit to the question.

    1. It’s just a valid option from the available options.

12. Endpoint connections cannot be extended out of a VPC i.e. resources across the VPN connection, VPC peering connection, AWS Direct Connect connection cannot use the endpoint

    Is not correct as from Oct 10, 2018
    AWS PrivateLink now supports access over Inter-Region VPC Peering

    1. Its still a valid limitation for VPC Gateway endpoints.

Comments are closed.