AWS VPC Gateway Endpoints

A VPC Gateway Endpoint is a gateway that is a target for a specified route in the route table, used for traffic destined for a supported AWS service.
VPC Gateway Endpoints currently supports S3 and DynamoDB services
VPC Gateway Endpoints do not require an Internet gateway or a NAT device for the VPC.
Gateway endpoints do not enable AWS PrivateLink.
VPC Endpoint policy and Resource-based policies can be used for fine-grained access control.
There is no additional charge for using gateway endpoints.
Gateway endpoints are recommended for workloads contained within a single AWS account and Region. For access from on-premises networks, peered VPCs in other Regions, or through a transit gateway, use Interface Endpoints instead.
Both S3 and DynamoDB support both Gateway endpoints and Interface endpoints. Gateway endpoints are free while Interface endpoints incur hourly and data processing charges.

VPC Endpoint Types Comparison

AWS now supports three types of VPC endpoints:
- Gateway Endpoints – Target for a route in a route table, supporting S3 and DynamoDB only. Free of charge. Do not use AWS PrivateLink.
- Interface Endpoints – Elastic network interfaces with a private IP address powered by AWS PrivateLink. Support 130+ AWS services. Charged hourly and per GB processed.
- Resource Endpoints (GA December 2024) – Provide private access to a specific resource (e.g., an RDS instance, IP address, or domain) in another VPC or on-premises without requiring a Network Load Balancer. Powered by AWS PrivateLink.
For S3 and DynamoDB, Gateway Endpoints are recommended for simple same-Region, same-account access due to zero cost. Interface Endpoints should be used when cross-region, on-premises, or transit gateway access is needed.

Gateway Endpoint Configuration

Endpoint requires the VPC and the service to be accessed via the endpoint.
The endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
Access to the resources in other services can be controlled by endpoint policies
Security groups need to be modified to allow outbound traffic from the VPC to the service that is specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
Multiple endpoints can be created in a single VPC, for e.g., to multiple services.
Multiple endpoints can be created for the same service but in different route tables.
Multiple endpoints to the same service CAN NOT be specified in a single route table
A route table can have both an endpoint route to Amazon S3 and an endpoint route to DynamoDB.
The most specific route (longest prefix match) takes precedence – an endpoint route takes priority over a 0.0.0.0/0 route to an internet gateway for traffic destined to S3 or DynamoDB in the same Region.

Gateway Endpoint IPv6 Support

Update (November 2025): Gateway endpoints for Amazon S3 now support IPv6, available in all AWS Commercial Regions and GovCloud (US) Regions at no additional cost.
Update (October 2025): Amazon DynamoDB now supports IPv6 for gateway and interface VPC endpoints.
The IP address type of a gateway endpoint must be compatible with the subnets:
- IPv4 – Adds the service’s IPv4 prefix list to the route table.
- IPv6 – Adds the service’s IPv6 prefix list to the route table. Supported only if all selected subnets are IPv6-only subnets.
- Dualstack – Adds both IPv4 and IPv6 prefix lists to the route table. Supported only if all selected subnets have both IPv4 and IPv6 address ranges.
DNS record IP type can be configured as IPv4, IPv6, Dualstack, or service-defined (default).
Note: DynamoDB gateway endpoints currently only support the DNS record IP type of service-defined.
To use DNS record IP types other than service-defined, you must enable enableDnsSupport and enableDnsHostnames attributes in VPC settings.

Gateway Endpoint Limitations

are regional and supported within the same Region only.
cannot be created between a VPC and an AWS service in a different region.
~~support IPv4 traffic only.~~ (Updated 2025) – Now support IPv4, IPv6, and Dualstack depending on subnet configuration. S3 supports all three modes; DynamoDB supports IPv6 with service-defined DNS record IP type.
cannot be transferred from one VPC to another, or from one service to another service.
connections cannot be extended out of a VPC i.e. resources across the VPN, VPC peering, Direct Connect connection cannot use the endpoint. Use Interface Endpoints for these scenarios.
do not allow access through a Transit Gateway. Use Interface Endpoints if Transit Gateway access is required.
have a default quota of 20 gateway endpoints per Region (adjustable) and a limit of 255 gateway endpoints per VPC.
do not support AWS PrivateLink and cannot use PrivateLink features such as cross-region connectivity.

VPC Endpoint policy

VPC Endpoint policy is an IAM resource policy attached to an endpoint for controlling access from the endpoint to the specified service.
Endpoint policy, by default, allows full access to any user or service within the VPC, using credentials from any AWS account to any S3 resource; including S3 resources for an AWS account other than the account with which the VPC is associated
Endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies).
Endpoint policy can be used to restrict which specific resources can be accessed using the VPC Endpoint.
(New 2025) New IAM condition keys for VPC endpoint policies enable scalable organization-wide network perimeter controls:
- aws:VpceAccount – Restricts access to VPC endpoints owned by a specific account.
- aws:VpceOrgID – Restricts access to VPC endpoints within a specific AWS Organization.
- aws:VpceOrgPaths – Restricts access to VPC endpoints within specific organizational unit paths.
These keys enable you to write SCPs and IAM policies that ensure requests are made through your organization’s VPC endpoints without hard-coding individual VPC endpoint IDs.

{
  "Sid": "AccessToSpecificBucket",
  "Effect": "Allow",
  "Principal": "*",
  "Action": [
     "s3:ListBucket",
     "s3:GetObject",
  ],
  "Resource": [
     "arn:aws:s3:::example-bucket",
     "arn:aws:s3:::example-bucket/*"
  ]
}

{

"Sid": "AccessToSpecificBucket",

"Effect": "Allow",

"Principal": "*",

"Action": [

"s3:ListBucket",

"s3:GetObject",

"Resource": [

"arn:aws:s3:::example-bucket",

"arn:aws:s3:::example-bucket/*"

]

}

S3 Bucket Policies

IAM policy or bucket policy can’t be used to allow access from a VPC IPv4 CIDR range as the VPC CIDR blocks can be overlapping or identical, which might lead to unexpected results.
aws:SourceIp condition can’t be used in the IAM policies for requests to S3 through a VPC endpoint.
S3 Bucket Policies can be used to restrict access through the VPC endpoint only.

{
  "Version": "2012-10-17",
  "Id": "Access-to-bucket-using-specific-endpoint",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPCE-only",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::example_bucket",
                   "arn:aws:s3:::example_bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "vpce-1a2b3c4d"
        }
      }
    }
  ]
}

{

"Version": "2012-10-17",

"Id": "Access-to-bucket-using-specific-endpoint",

"Statement": [

{

"Sid": "Access-to-specific-VPCE-only",

"Effect": "Deny",

"Principal": "*",

"Action": "s3:*",

"Resource": ["arn:aws:s3:::example_bucket",

"arn:aws:s3:::example_bucket/*"],

"Condition": {

"StringNotEquals": {

"aws:sourceVpce": "vpce-1a2b3c4d"

}

]

}

Gateway Endpoints vs Interface Endpoints for S3 and DynamoDB

Both S3 and DynamoDB now support Gateway and Interface endpoints. Key differences:

Feature	Gateway Endpoint	Interface Endpoint
Cost	Free	Hourly + data processing charges
Access from on-premises	Not supported	Supported (via VPN/Direct Connect)
Cross-Region access	Not supported	Supported (via Cross-Region PrivateLink, Nov 2025)
Transit Gateway access	Not supported	Supported
VPC Peering access	Not supported	Supported
AWS PrivateLink	Not used	Powered by PrivateLink
Routing	Route table entry (prefix list)	DNS-based (private DNS names)
IPv6	Supported (2025)	Supported

VPC Gateway Endpoint Troubleshooting

Verify the services are within the same region.
DNS resolution must be enabled in the VPC (both enableDnsSupport and enableDnsHostnames must be set to true).
Route table should have a route to S3 using the gateway VPC endpoint.
Security groups should have outbound traffic allowed to the service prefix list.
NACLs should allow inbound and outbound traffic to/from the service CIDR blocks.
Gateway Endpoint Policy should define access to the resource.
Resource-based policies like the S3 bucket policy should allow access from the VPC endpoint or the VPC.
If using IPv6, ensure the endpoint IP address type matches the subnet configuration and verify the DNS record IP type is compatible.
Source IPv4 addresses from instances in affected subnets change from public to private IPv4 addresses when an endpoint is created – existing TCP connections may be dropped.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

You have an application running on an Amazon EC2 instance that uploads 10 GB video objects to amazon S3. Video uploads are taking longer than expected inspite of using multipart upload cause of internet bandwidth, resulting in poor application performance. Which action can help improve the upload performance?
1. Apply an Amazon S3 bucket policy
2. Use Amazon EBS provisioned IOPS
3. Use VPC endpoints for S3
4. Request a service limit increase
What are the services supported by VPC endpoints, using Gateway endpoint type? Choose 2 answers
1. Amazon S3
2. Amazon EFS
3. Amazon DynamoDB
4. Amazon Glacier
5. Amazon SQS
An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?
1. Access the data through an Internet Gateway.
2. Access the data through a VPN connection.
3. Access the data through a NAT Gateway.
4. Access the data through a VPC endpoint for Amazon S3.
A company has a private subnet with EC2 instances that need to access DynamoDB. The instances also require access to S3 from on-premises via Direct Connect. Which combination of endpoints should be used?
1. Gateway endpoint for both S3 and DynamoDB
2. Interface endpoint for both S3 and DynamoDB
3. Gateway endpoint for DynamoDB and Interface endpoint for S3 (for on-premises access)
4. NAT Gateway for both services
Which of the following is TRUE about VPC Gateway Endpoints? (Choose 2)
1. They are powered by AWS PrivateLink
2. They are free of charge
3. They support access from on-premises networks
4. They add a route to the route table with the prefix list as destination
5. They create an elastic network interface in the subnet
A company wants to restrict S3 access to only requests coming through their VPC endpoint at an organizational level without hard-coding endpoint IDs. Which IAM condition key should they use?
1. aws:sourceVpce
2. aws:SourceVpc
3. aws:VpceOrgID
4. aws:PrincipalOrgID
A solutions architect needs to provide private IPv6-only access from EC2 instances in IPv6-only subnets to Amazon S3. Which endpoint configuration supports this?
1. Gateway endpoint with IPv4 IP address type
2. Interface endpoint only – gateway endpoints don’t support IPv6
3. Gateway endpoint with IPv6 IP address type
4. Gateway endpoint with Dualstack IP address type