VPC Endpoints

AWS VPC Endpoints – Gateway & Interface Endpoints

VPC Endpoints
~ Last updated on : ~ jayendrapatil ~ 27 Comments

AWS VPC Endpoints

  • VPC Endpoints enable the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address
  • Endpoints do not require a public IP address, access over the Internet, NAT device, a VPN connection, or AWS Direct Connect.
  • Traffic between VPC and AWS service does not leave the Amazon network
  • Endpoints are virtual devices, that are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in the VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
  • AWS currently supports the following types of Endpoints
    • VPC Gateway Endpoints – target for a route in a route table (S3 and DynamoDB only, free)
    • VPC Interface Endpoints (PrivateLink) – ENI-based, supports 100+ AWS services
    • VPC Resource Endpoints (GA Dec 2024) – direct access to VPC resources (e.g., RDS, EC2 instances, IP/domain targets) across accounts without a load balancer
    • Gateway Load Balancer Endpoints – route traffic to network virtual appliances (firewalls, IDS/IPS) deployed behind a Gateway Load Balancer

VPC Endpoints

VPC Gateway Endpoints

  • A VPC Gateway Endpoint is a gateway that is a target for a specified route in the route table, used for traffic destined for a supported AWS service.
  • Gateway Endpoints currently supports S3 and DynamoDB services only.
  • Gateway Endpoints do not require an Internet gateway or a NAT device for the VPC.
  • Gateway endpoints do not enable AWS PrivateLink.
  • Gateway Endpoints are available at no additional charge.
  • Gateway Endpoints do not support cross-region requests – they must be created in the same Region as the S3 bucket or DynamoDB table.
  • Gateway Endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a Transit Gateway. Use Interface Endpoints for those scenarios.
  • VPC Endpoint policy and Resource-based policies can be used for fine-grained access control.
  • S3 Gateway Endpoints now support IPv6 (announced November 2025) – both dual-stack and IPv6-only configurations are supported.
"AWS

VPC Interface Endpoints – PrivateLink

AWS Private Links

  • VPC Interface endpoints enable connectivity to services powered by AWS PrivateLink.
  • Services include AWS services like CloudTrail, CloudWatch, etc., services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
  • Interface Endpoints only allow traffic from VPC resources to the endpoints and not vice versa.
  • PrivateLink endpoints can be accessed across both intra- and inter-region VPC peering connections, Direct Connect, and VPN connections.
  • VPC Interface Endpoints, by default, have an address like vpce-svc-01234567890abcdef.us-east-1.vpce.amazonaws.com which needs application changes to point to the service.
  • Private DNS name feature allows consumers to use AWS service public default DNS names which would point to the private VPC endpoint service.
  • Interface Endpoints can be used to create custom applications in VPC and configure them as an AWS PrivateLink-powered service (referred to as an endpoint service) exposed through a Network Load Balancer.
  • Custom applications can be hosted within AWS or on-premises (via Direct Connect or VPN)
  • Interface Endpoints are billed per hour per AZ provisioned, plus per-GB data processing charges. See AWS PrivateLink Pricing.

Cross-Region PrivateLink (GA November 2024)

  • AWS PrivateLink now supports native cross-region connectivity, breaking the previous limitation that VPC endpoints were regional-only.
  • As a service consumer, you can privately connect to VPC endpoint services hosted in other AWS Regions within the same partition, without cross-region peering or exposing data to the public internet.
  • As a service provider, you can offer your endpoint service to customers in all Regions from a single Region without deploying infrastructure in each Region.
  • Cross-region connectivity for custom endpoint services (customer-hosted) launched Nov 2024.
  • Cross-region connectivity for AWS services (e.g., S3, ECR, Route 53) launched Nov 2025.
  • Traffic remains on the AWS backbone and does not traverse the public internet.
  • Available within the same AWS partition (commercial, GovCloud, China) across all supported Regions.

VPC Resource Endpoints (GA December 2024)

  • Resource Endpoints are a new type of VPC endpoint introduced at re:Invent 2024 that provide private access to specific VPC resources across accounts.
  • Resource Endpoints allow you to privately access a resource (e.g., an RDS database, EC2 instance, IP address, or domain name) in another VPC without requiring a Network Load Balancer.
  • A VPC resource is represented by a resource configuration, which is associated with a resource gateway.
  • Resources can be shared across accounts using AWS Resource Access Manager (RAM).
  • Supports TCP traffic only (UDP is not supported).
  • Network connections must be initiated from the VPC containing the resource endpoint (unidirectional).
  • Currently supported ARN-based resources include Amazon RDS instances.
  • Also supports connectivity to any resource by IP address or domain name target.
  • DNS names are automatically provisioned with format: endpoint_id.rcfgId.randomHash.vpc-lattice-rsc.region.on.aws
  • Private DNS is supported for ARN-based resources (e.g., RDS), allowing continued use of the resource’s original DNS name.
  • Supports IPv4, IPv6, and dual-stack addressing.
  • Integrates with Amazon VPC Lattice for advanced service networking scenarios.
  • Billed per hour per endpoint provisioned, plus per-GB data processing. Resource gateways billed per-GB data processed.

Gateway Load Balancer Endpoints

  • Gateway Load Balancer (GWLB) Endpoints provide private connectivity between your VPC and network virtual appliances (firewalls, IDS/IPS, deep packet inspection) deployed in a service provider VPC behind a Gateway Load Balancer.
  • GWLB Endpoints serve as an entry/exit point in your VPC for traffic inspection.
  • Used as a target in route tables to transparently route traffic through security appliances.
  • Each GWLB endpoint can support up to 10 Gbps per AZ and auto-scales up to 100 Gbps.
  • Supports ingress routing from Internet Gateway and Virtual Private Gateway for inline traffic inspection.
  • Commonly used in centralized security inspection architectures with AWS Transit Gateway.

S3 VPC Endpoints Strategy

S3 is now accessible with both Gateway Endpoints and Interface Endpoints.

  • Gateway Endpoint – Free, route-table based, same-Region only, no on-premises or cross-region access. Recommended for most in-Region workloads.
  • Interface Endpoint – Hourly + per-GB charges, ENI-based, accessible from on-premises (via Direct Connect/VPN), across VPC peering, Transit Gateway, and now cross-region (via Cross-Region PrivateLink, Nov 2025).
  • Both Gateway and Interface VPC Endpoints for S3 now support IPv6 (November 2025).

S3 Strategy - VPC Gateway Endpoints vs VPC Interface Endpoints

VPC Endpoint Policies & Security

  • VPC Endpoint policies control which AWS principals can use the endpoint to access the service.
  • Endpoint policies can be attached to Gateway, Interface, and Resource endpoints.
  • Security groups can be attached to Interface and Resource endpoints to control inbound/outbound traffic.
  • New IAM Condition Keys (August 2025) for organization-wide network perimeter controls:
    • aws:VpceAccount – Restrict requests based on the account that owns the VPC endpoint.
    • aws:VpceOrgID – Restrict based on the AWS Organization ID of the endpoint owner.
    • aws:VpceOrgPaths – Restrict based on organizational unit paths of the endpoint owner.
  • These new keys complement the existing aws:sourceVpce and aws:sourceVpc condition keys and enable scalable network perimeter controls across entire AWS Organizations without hard-coding VPC endpoint IDs.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have an application running on an Amazon EC2 instance that uploads 10 GB video objects to amazon S3. Video uploads are taking longer than expected inspite of using multipart upload cause of internet bandwidth, resulting in poor application performance. Which action can help improve the upload performance?
    1. Apply an Amazon S3 bucket policy
    2. Use Amazon EBS provisioned IOPS
    3. Use VPC endpoints for S3
    4. Request a service limit increase
  2. What are the services supported by VPC endpoints, using Gateway endpoint type? Choose 2 answers
    1. Amazon S3
    2. Amazon EFS
    3. Amazon DynamoDB
    4. Amazon Glacier
    5. Amazon SQS
  3. What are the different types of endpoint types supported by VPC endpoints? Choose 2 Answers [Note: As of 2024, AWS now supports additional endpoint types including Resource Endpoints and Gateway Load Balancer Endpoints. This question reflects the original SAA exam scope.]
    1. Gateway
    2. Classic
    3. Interface
    4. Virtual
    5. Network
  4. An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?
    1. Access the data through an Internet Gateway.
    2. Access the data through a VPN connection.
    3. Access the data through a NAT Gateway.
    4. Access the data through a VPC endpoint for Amazon S3.
  5. You need to design a VPC for a three-tier architecture, a web application consisting of an Elastic Load Balancer (ELB), a fleet of web/application servers, and a backend consisting of an RDS database. The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the least components are exposed to Internet?
    1. Two public subnets for ELB, two private subnets for the web-servers, two private subnets for RDS and DynamoDB
    2. Two public subnets for ELB and web-servers, two private subnets for RDS and DynamoDB
    3. Two public subnets for ELB, two private subnets for the web-servers, two private subnets for RDS and VPC Endpoints for DynamoDB
    4. Two public subnets for ELB and web-servers, two private subnets for RDS and VPC Endpoints for DynamoDB
  6. A company needs to access Amazon S3 buckets in a different AWS Region privately without exposing traffic to the public internet. Which solution should they use?
    1. Use Gateway VPC Endpoints for cross-region S3 access
    2. Use Interface VPC Endpoints with Cross-Region PrivateLink for S3
    3. Set up VPC peering between regions and use Gateway Endpoints
    4. Use AWS Direct Connect with public VIF
  7. A SaaS provider needs to give customers in multiple AWS accounts private access to an Amazon RDS database without deploying a Network Load Balancer. Which solution meets this requirement?
    1. Create a VPC peering connection to each customer account
    2. Use an Interface VPC Endpoint with an NLB in front of the RDS instance
    3. Create a resource configuration for the RDS instance and share it via AWS RAM, allowing customers to create Resource Endpoints
    4. Use AWS Transit Gateway to connect all customer VPCs
  8. A security team wants to ensure that all API requests from their AWS Organization pass through their organization’s VPC endpoints, without hard-coding individual endpoint IDs in policies. Which approach should they use?
    1. Use aws:sourceVpce condition key with wildcard values
    2. Use aws:sourceVpc condition key listing all VPC IDs
    3. Use aws:VpceOrgID condition key to validate requests originate from endpoints owned by their organization
    4. Create a custom IAM policy for each VPC endpoint

References

AWS PrivateLink – VPC Endpoints

Access VPC Resources through AWS PrivateLink

AWS Announces Access to VPC Resources over PrivateLink (Dec 2024)

AWS PrivateLink Cross-Region Connectivity (Nov 2024)

Cross-Region PrivateLink for AWS Services (Nov 2025)

IPv6 for Amazon S3 VPC Endpoints (Nov 2025)

New VPC Endpoint IAM Condition Keys (Aug 2025)

Gateway Load Balancer Endpoints

AWS Networking & Content Delivery Cheat Sheet

AWS Networking & Content Delivery Services
~ Last updated on : ~ jayendrapatil ~ 27 Comments

AWS Networking & Content Delivery Services Cheat Sheet

AWS Networking & Content Delivery Services

Virtual Private Cloud – VPC

  • helps define a logically isolated dedicated virtual network within the AWS
  • provides control of IP addressing using CIDR block from a minimum of /28 to a maximum of /16 block size
  • supports IPv4 and IPv6 addressing
  • cannot be extended once created
  • can be extended by associating secondary IPv4 CIDR blocks to VPC
  • Components
    • Internet gateway (IGW) provides access to the Internet
    • Virtual gateway (VGW) provides access to the on-premises data center through VPN and Direct Connect connections
    • VPC can have only one IGW and VGW
    • Route tables determine network traffic routing from the subnet
    • Ability to create a subnet with VPC CIDR block
    • A Network Address Translation (NAT) server provides outbound Internet access for EC2 instances in private subnets
    • Elastic IP addresses are static, persistent public IP addresses
    • Instances launched in the VPC will have a Private IP address and can have a Public or an Elastic IP address associated with it
    • Security Groups and NACLs help define security
    • Flow logs – Capture information about the IP traffic going to and from network interfaces in your VPC
  • Tenancy option for instances
    • shared, by default, allows instances to be launched on shared tenancy
    • dedicated allows instances to be launched on a dedicated hardware
  • Route Tables
    • defines rules, termed as routes, which determine where network traffic from the subnet would be routed
    • Each VPC has a Main Route table and can have multiple custom route tables created
    • Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted
    • Route priority is decided by matching the most specific route in the route table that matches the traffic
  • Subnets
    • map to AZs and do not span across AZs
    • have a CIDR range that is a portion of the whole VPC.
    • CIDR ranges cannot overlap between subnets within the VPC.
    • AWS reserves 5 IP addresses in each subnet – first 4 and last one
    • Each subnet is associated with a route table which define its behavior
      • Public subnets – inbound/outbound Internet connectivity via IGW
      • Private subnets – outbound Internet connectivity via an NAT or VGW
      • Protected subnets – no outbound connectivity and used for regulated workloads
  • Elastic Network Interface (ENI)
    • a default ENI, eth0, is attached to an instance which cannot be detached with one or more secondary detachable ENIs (eth1-ethn)
    • has primary private, one or more secondary private, public, Elastic IP address, security groups, MAC address and source/destination check flag attributes associated
    • AN ENI in one subnet can be attached to an instance in the same or another subnet, in the same AZ and the same VPC
    • Security group membership of an ENI can be changed
    • with pre-allocated Mac Address can be used for applications with special licensing requirements
  • Security Groups vs NACLs – Network Access Control Lists
    • Stateful vs Stateless
    • At instance level vs At subnet level
    • Only allows Allow rule vs Allows both Allow and Deny rules
    • Evaluated as a Whole vs Evaluated in defined Order
  • Elastic IP
    • is a static IP address designed for dynamic cloud computing.
    • is associated with an AWS account, and not a particular instance
    • can be remapped from one instance to another instance
    • is charged for non-usage, if not linked for any instance or instance associated is in a stopped state
  • NAT
    • allows internet access to instances in the private subnets.
    • performs the function of both address translation and port address translation (PAT)
    • needs source/destination check flag to be disabled as it is not the actual destination of the traffic for NAT Instance.
    • NAT gateway is an AWS managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort
    • are not supported for IPv6 traffic
    • NAT Gateway supports private NAT with fixed private IPs.
    • Regional NAT Gateway (announced Nov 2025) automatically expands across Availability Zones based on workload footprint, providing simplified setup, enhanced security, and automatic high availability without manual multi-AZ configuration.
  • Egress-Only Internet Gateways
    • outbound communication over IPv6 from instances in the VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances
    • supports IPv6 traffic only
  • Shared VPCs
    • allows multiple AWS accounts to create their application resources, such as EC2 instances, RDS databases, Redshift clusters, and AWS Lambda functions, into shared, centrally-managed VPCs
  • VPC Encryption Controls (announced Nov 2025)
    • allows enforcing encryption in transit for network traffic within the VPC
    • provides centralized encryption policy enforcement and monitoring capabilities
    • supports monitor and enforce modes to audit and enforce encryption compliance
    • transitioned to paid feature starting March 2026

VPC Peering

  • allows routing of traffic between the peer VPCs using private IP addresses with no IGW or VGW required.
  • No single point of failure and bandwidth bottlenecks
  • supports inter-region VPC peering
  • Limitations
    • IP space or CIDR blocks cannot overlap
    • cannot be transitive
    • supports a one-to-one relationship between two VPCs and has to be explicitly peered.
    • does not support edge-to-edge routing.
    • supports only one connection between any two VPCs
  • Private DNS values cannot be resolved
  • Security groups from peered VPC can now be referred to, however, the VPC should be in the same region.

VPC Endpoints

  • enables private connectivity from VPC to supported AWS services and VPC endpoint services powered by PrivateLink
  • does not require a public IP address, access over the Internet, NAT device, a VPN connection, or Direct Connect
  • traffic between VPC & AWS service does not leave the Amazon network
  • are virtual devices.
  • are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in the VPC and services without imposing availability risks or bandwidth constraints on the network traffic.
  • Gateway Endpoints
    • is a gateway that is a target for a specified route in the route table, used for traffic destined to a supported AWS service.
    • only S3 and DynamoDB are currently supported
  • Interface Endpoints OR Private Links
    • is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service
    • supports services include AWS services, services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
    • Private Links
      • provide fine-grained access control
      • provides a point-to-point integration.
      • supports overlapping CIDR blocks.
      • supports transitive routing
    • Access to VPC Resources over PrivateLink (announced Dec 2024) – allows sharing any VPC resource using AWS RAM and accessing them privately using VPC endpoints, without requiring the resource to sit behind a NLB.

CloudFront

  • provides low latency and high data transfer speeds for the distribution of static, dynamic web, or streaming content to web users.
  • delivers the content through a worldwide network of data centers called Edge Locations or Point of Presence (PoPs)
  • keeps persistent connections with the origin servers so that the files can be fetched from the origin servers as quickly as possible.
  • dramatically reduces the number of network hops that users’ requests must pass through
  • supports multiple origin server options, like AWS hosted service for e.g. S3, EC2, ELB, or an on-premise server, which stores the original, definitive version of the objects
  • single distribution can have multiple origins and Path pattern in a cache behavior determines which requests are routed to the origin
  • Web distribution supports static, dynamic web content, on-demand using progressive download & HLS, and live streaming video content
  • RTMP distributions were deprecated and removed on December 31, 2020. Use Web distributions with HTTP-based streaming protocols (HLS, DASH) instead.
  • supports HTTPS using either
    • dedicated IP address, which is expensive as a dedicated IP address is assigned to each CloudFront edge location
    • Server Name Indication (SNI), which is free but supported by modern browsers only with the domain name available in the request header
  • For E2E HTTPS connection,
    • Viewers -> CloudFront needs either a certificate issued by CA or ACM
    • CloudFront -> Origin needs a certificate issued by ACM for ELB and by CA for other origins
  • Security
    • Origin Access Control (OAC) is the recommended method to restrict content from S3 origin to be accessible from CloudFront only. OAC supports SSE-KMS, all HTTP methods, and all AWS Regions.
      • Origin Access Identity (OAI) is the legacy method. OAI creation was deprecated in 2024 and new distributions (as of March 2026) can only use OAC. Existing OAI configurations continue to work but migration to OAC is recommended.
    • supports Geo restriction (Geo-Blocking) to whitelist or blacklist countries that can access the content
    • Signed URLs
      • to restrict access to individual files, for e.g., an installation download for your application.
      • users using a client, for e.g. a custom HTTP client, that doesn’t support cookies
    • Signed Cookies
      • provide access to multiple restricted files, for e.g., video part files in HLS format or all of the files in the subscribers’ area of a website.
      • don’t want to change the current URLs
    • integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configured based on IP addresses, HTTP headers, and custom URI strings
  • supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get object & object headers, add, update, and delete objects
    • only caches responses to GET and HEAD requests and, optionally, OPTIONS requests
    • does not cache responses to PUT, POST, PATCH, DELETE request methods and these requests are proxied back to the origin
  • object removal from the cache
    • would be removed upon expiry (TTL) from the cache, by default 24 hrs
    • can be invalidated explicitly, but has a cost associated, however, might continue to see the old version until it expires from those caches
    • objects can be invalidated only for Web distribution
    • use versioning or change object name, to serve a different version
    • Tag-based cache invalidation (announced May 2026) – allows tagging cached objects via origin response headers or S3 metadata and invalidating them by tag directly through the CloudFront API.
  • supports adding or modifying custom headers before the request is sent to origin which can be used to
    • validate if a user is accessing the content from CDN
    • identifying CDN from which the request was forwarded, in case of multiple CloudFront distributions
    • for viewers not supporting CORS to return the Access-Control-Allow-Origin header for every request
  • supports Partial GET requests using range header to download objects in smaller units improving the efficiency of partial downloads and recovery from partially failed transfers
  • supports compression to compress and serve compressed files when viewer requests include Accept-Encoding: gzip in the request header
  • supports different price classes to include all regions, or only the least expensive regions and other regions without the most expensive regions
  • supports access logs which contain detailed information about every user request for both web distribution
  • Edge Compute
    • CloudFront Functions – lightweight JavaScript functions for simple request/response transformations (URL rewrites, header manipulation, redirects) executed at viewer request/response events with sub-millisecond latency
    • Lambda@Edge – more powerful compute for complex processing at origin request/response and viewer request/response events
    • CloudFront KeyValueStore (launched 2023) – a globally distributed, low-latency data store that CloudFront Functions can read at runtime for dynamic routing, A/B testing, feature flags, and geo-routing without redeploying function code
  • CloudFront Flat-Rate Pricing Plans – combine CDN, AWS WAF, DDoS protection, bot management, Route 53 DNS, CloudWatch Logs ingestion, serverless edge compute, and S3 storage credits into a single monthly price

AWS VPN

  • AWS Site-to-Site VPN provides secure IPSec connections from on-premise computers or services to AWS over the Internet
  • is cheap, and quick to set up however it depends on the Internet speed
  • delivers high availability by using two tunnels across multiple Availability Zones within the AWS global network
  • VPN requires a Virtual Gateway – VGW and Customer Gateway – CGW for communication
  • VPN connection is terminated on VGW on AWS
  • Only one VGW can be attached to a VPC at a time
  • VGW supports both static and dynamic routing using Border Gateway Protocol (BGP)
  • VGW supports AWS-256 and SHA-2 for data encryption and integrity
  • AWS Client VPN is a managed client-based VPN service that enables secure access to AWS resources and resources in the on-premises network.
  • AWS VPN does not allow accessing the Internet through IGW or NAT Gateway, peered VPC resources, or VPC Gateway Endpoints from on-premises.
  • AWS VPN allows access accessing the Internet through NAT Instance and VPC Interface Endpoints from on-premises.

Direct Connect

  • is a network service that uses a private dedicated network connection to connect to AWS services.
  • helps reduce costs (long term), increases bandwidth, and provides a more consistent network experience than internet-based connections.
  • supports Dedicated and Hosted connections
    • Dedicated connection is made through a 1 Gbps, 10 Gbps, or 100 Gbps Ethernet port dedicated to a single customer.
    • Hosted connections are sourced from an AWS Direct Connect Partner that has a network link between themselves and AWS.
  • provides Virtual Interfaces
    • Private VIF to access instances within a VPC via VGW
    • Public VIF to access non VPC services
    • Transit VIF to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways, enabling connectivity to multiple VPCs through a single VIF
  • requires time to setup probably months, and should not be considered as an option if the turnaround time is less
  • does not provide redundancy, use either second direct connection or IPSec VPN connection
  • Virtual Private Gateway is on the AWS side and Customer Gateway is on the Customer side
  • route propagation is enabled on VGW and not on CGW
  • A link aggregation group (LAG) is a logical interface that uses the link aggregation control protocol (LACP) to aggregate multiple dedicated connections at a single AWS Direct Connect endpoint and treat them as a single, managed connection
  • VIF Rate Limiters (announced June 2026) on dedicated connections help prevent network congestion caused by unexpected traffic spikes on a VIF that could consume all available bandwidth impacting other VIFs on the same connection.
  • Direct Connect vs VPN IPSec
    • Expensive to Setup and Takes time vs Cheap & Immediate
    • Dedicated private connections vs Internet
    • Reduced data transfer rate vs Internet data transfer cost
    • Consistent performance vs Internet inherent variability
    • Do not provide Redundancy vs Provides Redundancy

Route 53

  • provides highly available and scalable DNS, Domain Registration Service, and health-checking web services
  • Reliable and cost-effective way to route end users to Internet applications
  • Supports multi-region and backup architectures for High availability. ELB is limited to region and does not support multi-region HA architecture.
  • supports private Intranet facing DNS service
  • internal resource record sets only work for requests originating from within the VPC and currently cannot extend to on-premise
  • Global propagation of any changes made to the DN records within ~ 1min
  • supports Alias resource record set is a Route 53 extension to DNS.
    • It’s similar to a CNAME resource record set, but supports both for root domain – zone apex e.g. example.com, and for subdomains for e.g. www.example.com.
    • supports ELB load balancers, CloudFront distributions, Elastic Beanstalk environments, API Gateways, VPC interface endpoints, and S3 buckets that are configured as websites.
  • CNAME resource record sets can be created only for subdomains and cannot be mapped to the zone apex record
  • supports Private DNS to provide an authoritative DNS within the VPCs without exposing the DNS records (including the name of the resource and its IP address(es) to the Internet.
  • Split-view (Split-horizon) DNS enables mapping the same domain publicly and privately. Requests are routed as per the origin.
  • Routing policy
    • Simple routing – simple round-robin policy
    • Weighted routing – assign weights to resource records sets to specify the proportion for e.g. 80%:20%
    • Latency based routing – helps improve global applications as requests are sent to the server from the location with minimal latency, is based on the latency and cannot guarantee users from the same geography will be served from the same location for any compliance reasons
    • Geolocation routing – Specify geographic locations by continent, country, the state limited to the US, is based on IP accuracy
    • Geoproximity routing policy – Use to route traffic based on the location of the resources and, optionally, shift traffic from resources in one location to resources in another.
    • Multivalue answer routing policy – Use to respond to DNS queries with up to eight healthy records selected at random.
    • Failover routing – failover to a backup site if the primary site fails and becomes unreachable
    • IP-based routing – route traffic based on the IP address of the client making the DNS query
  • Weighted, Latency and Geolocation can be used for Active-Active while Failover routing can be used for Active-Passive multi-region architecture
  • Traffic Flow is an easy-to-use and cost-effective global traffic management service. Traffic Flow supports versioning and helps create policies that route traffic based on the constraints they care most about, including latency, endpoint health, load, geoproximity, and geography.
  • Route 53 Resolver is a regional DNS service that helps with hybrid DNS
    • Inbound Endpoints are used to resolve DNS queries from an on-premises network to AWS
    • Outbound Endpoints are used to resolve DNS queries from AWS to an on-premises network
    • Resolver endpoints now support DNS delegation for private hosted zones (June 2025)
  • Route 53 Profiles – enables sharing DNS configurations (private hosted zone associations, Resolver rules, and Resolver DNS Firewall rule group associations) across VPCs and accounts using AWS RAM
  • Accelerated Recovery (announced Nov 2025) – provides a 60-minute recovery time objective (RTO) for regaining the ability to make DNS changes to public hosted zones during regional disruptions in US East (N. Virginia)
  • PrivateLink Support (announced Nov 2025) – allows making changes to DNS infrastructure (hosted zones, records, health checks) without using the public internet

AWS Global Accelerator

  • is a networking service that helps you improve the availability and performance of the applications to global users.
  • utilizes the Amazon global backbone network, improving the performance of the applications by lowering first-byte latency, and jitter, and increasing throughput as compared to the public internet.
  • provides two static IP addresses serviced by independent network zones that provide a fixed entry point to the applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and AZs.
  • always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, the user’s location, and configured policies
  • improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.
  • is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover.
  • integrates with AWS Shield for DDoS protection
  • uses a global network of 130+ Points of Presence in 95+ cities across 53+ countries
  • supports dual-stack Network Load Balancers as endpoints
  • supports endpoints in 33 AWS Regions (as of 2025)
  • integrates with AWS Load Balancer Controller for Kubernetes (announced 2025)

Transit Gateway – TGW

  • is a highly available and scalable service to consolidate the AWS VPC routing configuration for a region with a hub-and-spoke architecture.
  • acts as a Regional virtual router and is a network transit hub that can be used to interconnect VPCs and on-premises networks.
  • traffic always stays on the global AWS backbone, data is automatically encrypted, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
  • is a Regional resource and can connect VPCs within the same AWS Region.
  • TGWs across the same or different regions can peer with each other.
  • provides simpler VPC-to-VPC communication management over VPC Peering with a large number of VPCs.
  • scales elastically based on the volume of network traffic.
  • supports security group referencing (announced Sept 2024) – allows creating inbound security rules that reference security groups defined in other VPCs attached to the same Transit Gateway within the same Region.
  • supports per-AZ metrics delivered to CloudWatch and Path MTU Discovery (PMTUD) for both IPv4 and IPv6 (announced Nov 2024).
  • supports Transit Gateway Flow Logs for monitoring and logging network traffic between transit gateways.
  • supports Flexible Cost Allocation (announced Nov 2025) – provides versatile cost allocation options through a central metering policy beyond the default sender-pay model.

Amazon VPC Lattice

  • is a fully managed application networking service that connects, monitors, and secures communications between services and resources across VPCs and accounts.
  • simplifies service-to-service connectivity without requiring VPC peering, Transit Gateway, or PrivateLink NLBs.
  • automatically manages network connectivity and application-layer routing between services across different VPCs and AWS accounts.
  • supports connectivity to TCP resources, such as databases, domain names, and IP addresses across VPCs and accounts.
  • integrates with AWS IAM for service-to-service authentication and authorization using Auth policies.
  • removes the NLB requirement that PrivateLink imposes on providers and supports cross-VPC/cross-account connectivity without CIDR coordination.
  • terminates TLS at the data plane so callers do not need to manage certificates.
  • provides built-in observability with access logs, connection logs, and traffic metrics.
  • Key concepts:
    • Service Network – a logical boundary for a collection of services that can communicate with each other
    • Service – represents an application unit that is independently deployable
    • Target Groups – collection of resources (instances, IPs, Lambda, ALB) for routing
    • Resource Configurations – define TCP resources (databases, IPs, domain names) accessible through VPC Lattice
  • Use cases:
    • Microservices connectivity across multiple VPCs/accounts
    • Secure service-to-service communication with zero trust
    • Alternative to VPC Peering and Transit Gateway for application-layer connectivity
    • Replacement for AWS App Mesh (which reached EOL on September 30, 2026)

Amazon VPC IP Address Manager (IPAM)

  • is a VPC feature that allows you to plan, track, and monitor IP addresses for AWS workloads.
  • organizes IP addresses by routing and security requirements while automating allocation to VPCs, replacing manual spreadsheet-based tracking.
  • tracks AWS accounts and VPCs, eliminating IP bookkeeping overhead.
  • supports management at both VPC and subnet CIDR levels.
  • integrates with AWS Organizations for cross-account IP address management.
  • supports provisioning Amazon-provided contiguous IPv4 blocks into publicly scoped regional pools for use with EIPs, NLBs, and NAT Gateways.
  • Public IP Insights – free feature that simplifies monitoring, analysis, and auditing of public IPv4 addresses.
  • IPAM Policies – define public IPv4 allocation strategies and automate prefix lists.
  • integrates with ALB for predictable IP address blocks for internet-facing ALBs (March 2025).
  • IPAM Advanced Tier – includes Infoblox integration (Nov 2025) for managing AWS IP addresses through existing Infoblox workflows.

AWS Network Firewall

  • is a managed, stateful network firewall and intrusion detection and prevention service for all Amazon VPCs.
  • scales automatically with network traffic, requiring no infrastructure management.
  • provides Layer 7 firewall capabilities with deep packet inspection.
  • supports flexible rules engine for fine-grained control of VPC network traffic.
  • provides active threat defense using AWS managed rules to block evasive C2 channels, malicious URLs, and other threat vectors.
  • supports Suricata-compatible IPS rules for known bad signatures and traffic patterns.
  • includes Network Firewall Proxy for granular security controls to inspect and filter VPC outbound connections, preventing data exfiltration and malware intrusion.
  • integrates with AWS Firewall Manager for centralized policy management across accounts.
  • can be combined with VPC Lattice for comprehensive security (VPC Lattice for HTTP/S with identity-based controls, Network Firewall for other traffic types).

AWS Cloud WAN

  • is a managed WAN service that provides a central dashboard to connect and manage branch offices, data centers, VPN connections, SD-WAN, VPCs, and Transit Gateways.
  • uses network policies to create a global network spanning multiple locations and networks, removing the need for different technologies.
  • provides a single console and set of APIs to manage networks across AWS Regions.
  • supports direct Direct Connect gateway attachments without requiring an intermediate Transit Gateway (announced Nov 2024).
  • supports Routing Policy for advanced traffic control (announced Nov 2025) – enables controlled routing environments, minimizing route reachability blast radius.
  • supports Service Insertion for inspection and security appliance integration.
  • supports PMTUD for both IPv4 and IPv6 (announced Nov 2024).
  • supports AWS PrivateLink and IPv6 for management endpoint connectivity (announced March 2025).
  • available in AWS GovCloud (US) Regions.

AWS Verified Access

  • provides secure access to corporate applications and resources without requiring a VPN.
  • implements zero trust principles by evaluating each access request based on user identity and device security posture rather than network location.
  • uses the Cedar policy language for defining fine-grained access policies.
  • supports secure access to resources over non-HTTP(S) protocols (announced Feb 2025) – enables VPN-less access to TCP-based resources like SSH, RDP, and databases.
  • continuously monitors active connections and terminates connections when security requirements aren’t met.
  • integrates with third-party identity providers and device management solutions.
  • can be used with PrivateLink-backed services to provide authorized internet-based access while maintaining security boundaries.