AWS VPC Gateway Endpoints

AWS VPC Gateway Endpoints

AWS VPC Gateway Endpoints

  • A VPC Gateway Endpoint is a gateway that is a target for a specified route in the route table, used for traffic destined for a supported AWS service.
  • VPC Gateway Endpoints currently supports S3 and DynamoDB services
  • VPC Gateway Endpoints do not require an Internet gateway or a NAT device for the VPC.
  • Gateway endpoints do not enable AWS PrivateLink.
  • VPC Endpoint policy and Resource-based policies can be used for fine-grained access control.
  • There is no additional charge for using gateway endpoints.
  • Gateway endpoints are recommended for workloads contained within a single AWS account and Region. For access from on-premises networks, peered VPCs in other Regions, or through a transit gateway, use Interface Endpoints instead.
  • Both S3 and DynamoDB support both Gateway endpoints and Interface endpoints. Gateway endpoints are free while Interface endpoints incur hourly and data processing charges.
AWS VPC Gateway Endpoints

 

VPC Endpoint Types Comparison

  • AWS now supports three types of VPC endpoints:
    • Gateway Endpoints – Target for a route in a route table, supporting S3 and DynamoDB only. Free of charge. Do not use AWS PrivateLink.
    • Interface Endpoints – Elastic network interfaces with a private IP address powered by AWS PrivateLink. Support 130+ AWS services. Charged hourly and per GB processed.
    • Resource Endpoints (GA December 2024) – Provide private access to a specific resource (e.g., an RDS instance, IP address, or domain) in another VPC or on-premises without requiring a Network Load Balancer. Powered by AWS PrivateLink.
  • For S3 and DynamoDB, Gateway Endpoints are recommended for simple same-Region, same-account access due to zero cost. Interface Endpoints should be used when cross-region, on-premises, or transit gateway access is needed.

Gateway Endpoint Configuration

  • Endpoint requires the VPC and the service to be accessed via the endpoint.
  • The endpoint needs to be associated with the Route table and the route table cannot be modified to remove the route entry. It can only be deleted by removing the Endpoint association with the Route table
  • A route is automatically added to the Route table with a destination that specifies the prefix list of service and the target with the endpoint id for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. vpce-12345678) will be added to the route tables
  • Access to the resources in other services can be controlled by endpoint policies
  • Security groups need to be modified to allow outbound traffic from the VPC to the service that is specified in the endpoint. Use the service prefix list ID for e.g. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
  • Multiple endpoints can be created in a single VPC, for e.g., to multiple services.
  • Multiple endpoints can be created for the same service but in different route tables.
  • Multiple endpoints to the same service CAN NOT be specified in a single route table
  • A route table can have both an endpoint route to Amazon S3 and an endpoint route to DynamoDB.
  • The most specific route (longest prefix match) takes precedence – an endpoint route takes priority over a 0.0.0.0/0 route to an internet gateway for traffic destined to S3 or DynamoDB in the same Region.

Gateway Endpoint IPv6 Support

  • Update (November 2025): Gateway endpoints for Amazon S3 now support IPv6, available in all AWS Commercial Regions and GovCloud (US) Regions at no additional cost.
  • Update (October 2025): Amazon DynamoDB now supports IPv6 for gateway and interface VPC endpoints.
  • The IP address type of a gateway endpoint must be compatible with the subnets:
    • IPv4 – Adds the service’s IPv4 prefix list to the route table.
    • IPv6 – Adds the service’s IPv6 prefix list to the route table. Supported only if all selected subnets are IPv6-only subnets.
    • Dualstack – Adds both IPv4 and IPv6 prefix lists to the route table. Supported only if all selected subnets have both IPv4 and IPv6 address ranges.
  • DNS record IP type can be configured as IPv4, IPv6, Dualstack, or service-defined (default).
  • Note: DynamoDB gateway endpoints currently only support the DNS record IP type of service-defined.
  • To use DNS record IP types other than service-defined, you must enable enableDnsSupport and enableDnsHostnames attributes in VPC settings.

Gateway Endpoint Limitations

  • are regional and supported within the same Region only.
  • cannot be created between a VPC and an AWS service in a different region.
  • support IPv4 traffic only. (Updated 2025) – Now support IPv4, IPv6, and Dualstack depending on subnet configuration. S3 supports all three modes; DynamoDB supports IPv6 with service-defined DNS record IP type.
  • cannot be transferred from one VPC to another, or from one service to another service.
  • connections cannot be extended out of a VPC i.e. resources across the VPN, VPC peering, Direct Connect connection cannot use the endpoint. Use Interface Endpoints for these scenarios.
  • do not allow access through a Transit Gateway. Use Interface Endpoints if Transit Gateway access is required.
  • have a default quota of 20 gateway endpoints per Region (adjustable) and a limit of 255 gateway endpoints per VPC.
  • do not support AWS PrivateLink and cannot use PrivateLink features such as cross-region connectivity.

VPC Endpoint policy

  • VPC Endpoint policy is an IAM resource policy attached to an endpoint for controlling access from the endpoint to the specified service.
  • Endpoint policy, by default, allows full access to any user or service within the VPC, using credentials from any AWS account to any S3 resource; including S3 resources for an AWS account other than the account with which the VPC is associated
  • Endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies).
  • Endpoint policy can be used to restrict which specific resources can be accessed using the VPC Endpoint.
  • (New 2025) New IAM condition keys for VPC endpoint policies enable scalable organization-wide network perimeter controls:
    • aws:VpceAccount – Restricts access to VPC endpoints owned by a specific account.
    • aws:VpceOrgID – Restricts access to VPC endpoints within a specific AWS Organization.
    • aws:VpceOrgPaths – Restricts access to VPC endpoints within specific organizational unit paths.
    These keys enable you to write SCPs and IAM policies that ensure requests are made through your organization’s VPC endpoints without hard-coding individual VPC endpoint IDs.

S3 Bucket Policies

  • IAM policy or bucket policy can’t be used to allow access from a VPC IPv4 CIDR range as the VPC CIDR blocks can be overlapping or identical, which might lead to unexpected results.
  • aws:SourceIp condition can’t be used in the IAM policies for requests to S3 through a VPC endpoint.
  • S3 Bucket Policies can be used to restrict access through the VPC endpoint only.

Gateway Endpoints vs Interface Endpoints for S3 and DynamoDB

  • Both S3 and DynamoDB now support Gateway and Interface endpoints. Key differences:
Feature Gateway Endpoint Interface Endpoint
Cost Free Hourly + data processing charges
Access from on-premises Not supported Supported (via VPN/Direct Connect)
Cross-Region access Not supported Supported (via Cross-Region PrivateLink, Nov 2025)
Transit Gateway access Not supported Supported
VPC Peering access Not supported Supported
AWS PrivateLink Not used Powered by PrivateLink
Routing Route table entry (prefix list) DNS-based (private DNS names)
IPv6 Supported (2025) Supported

VPC Gateway Endpoint Troubleshooting

  • Verify the services are within the same region.
  • DNS resolution must be enabled in the VPC (both enableDnsSupport and enableDnsHostnames must be set to true).
  • Route table should have a route to S3 using the gateway VPC endpoint.
  • Security groups should have outbound traffic allowed to the service prefix list.
  • NACLs should allow inbound and outbound traffic to/from the service CIDR blocks.
  • Gateway Endpoint Policy should define access to the resource.
  • Resource-based policies like the S3 bucket policy should allow access from the VPC endpoint or the VPC.
  • If using IPv6, ensure the endpoint IP address type matches the subnet configuration and verify the DNS record IP type is compatible.
  • Source IPv4 addresses from instances in affected subnets change from public to private IPv4 addresses when an endpoint is created – existing TCP connections may be dropped.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have an application running on an Amazon EC2 instance that uploads 10 GB video objects to amazon S3. Video uploads are taking longer than expected inspite of using multipart upload cause of internet bandwidth, resulting in poor application performance. Which action can help improve the upload performance?
    1. Apply an Amazon S3 bucket policy
    2. Use Amazon EBS provisioned IOPS
    3. Use VPC endpoints for S3
    4. Request a service limit increase
  2. What are the services supported by VPC endpoints, using Gateway endpoint type? Choose 2 answers
    1. Amazon S3
    2. Amazon EFS
    3. Amazon DynamoDB
    4. Amazon Glacier
    5. Amazon SQS
  3. An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?
    1. Access the data through an Internet Gateway.
    2. Access the data through a VPN connection.
    3. Access the data through a NAT Gateway.
    4. Access the data through a VPC endpoint for Amazon S3.
  4. A company has a private subnet with EC2 instances that need to access DynamoDB. The instances also require access to S3 from on-premises via Direct Connect. Which combination of endpoints should be used?
    1. Gateway endpoint for both S3 and DynamoDB
    2. Interface endpoint for both S3 and DynamoDB
    3. Gateway endpoint for DynamoDB and Interface endpoint for S3 (for on-premises access)
    4. NAT Gateway for both services
  5. Which of the following is TRUE about VPC Gateway Endpoints? (Choose 2)
    1. They are powered by AWS PrivateLink
    2. They are free of charge
    3. They support access from on-premises networks
    4. They add a route to the route table with the prefix list as destination
    5. They create an elastic network interface in the subnet
  6. A company wants to restrict S3 access to only requests coming through their VPC endpoint at an organizational level without hard-coding endpoint IDs. Which IAM condition key should they use?
    1. aws:sourceVpce
    2. aws:SourceVpc
    3. aws:VpceOrgID
    4. aws:PrincipalOrgID
  7. A solutions architect needs to provide private IPv6-only access from EC2 instances in IPv6-only subnets to Amazon S3. Which endpoint configuration supports this?
    1. Gateway endpoint with IPv4 IP address type
    2. Interface endpoint only – gateway endpoints don’t support IPv6
    3. Gateway endpoint with IPv6 IP address type
    4. Gateway endpoint with Dualstack IP address type

References

AWS VPC Endpoints – Gateway & Interface Endpoints

VPC Endpoints

AWS VPC Endpoints

  • VPC Endpoints enable the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address
  • Endpoints do not require a public IP address, access over the Internet, NAT device, a VPN connection, or AWS Direct Connect.
  • Traffic between VPC and AWS service does not leave the Amazon network
  • Endpoints are virtual devices, that are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in the VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
  • AWS currently supports the following types of Endpoints
    • VPC Gateway Endpoints – target for a route in a route table (S3 and DynamoDB only, free)
    • VPC Interface Endpoints (PrivateLink) – ENI-based, supports 100+ AWS services
    • VPC Resource Endpoints (GA Dec 2024) – direct access to VPC resources (e.g., RDS, EC2 instances, IP/domain targets) across accounts without a load balancer
    • Gateway Load Balancer Endpoints – route traffic to network virtual appliances (firewalls, IDS/IPS) deployed behind a Gateway Load Balancer

VPC Endpoints

VPC Gateway Endpoints

  • A VPC Gateway Endpoint is a gateway that is a target for a specified route in the route table, used for traffic destined for a supported AWS service.
  • Gateway Endpoints currently supports S3 and DynamoDB services only.
  • Gateway Endpoints do not require an Internet gateway or a NAT device for the VPC.
  • Gateway endpoints do not enable AWS PrivateLink.
  • Gateway Endpoints are available at no additional charge.
  • Gateway Endpoints do not support cross-region requests – they must be created in the same Region as the S3 bucket or DynamoDB table.
  • Gateway Endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a Transit Gateway. Use Interface Endpoints for those scenarios.
  • VPC Endpoint policy and Resource-based policies can be used for fine-grained access control.
  • S3 Gateway Endpoints now support IPv6 (announced November 2025) – both dual-stack and IPv6-only configurations are supported.
"AWS

VPC Interface Endpoints – PrivateLink

AWS Private Links

  • VPC Interface endpoints enable connectivity to services powered by AWS PrivateLink.
  • Services include AWS services like CloudTrail, CloudWatch, etc., services hosted by other AWS customers and partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace partner services.
  • Interface Endpoints only allow traffic from VPC resources to the endpoints and not vice versa.
  • PrivateLink endpoints can be accessed across both intra- and inter-region VPC peering connections, Direct Connect, and VPN connections.
  • VPC Interface Endpoints, by default, have an address like vpce-svc-01234567890abcdef.us-east-1.vpce.amazonaws.com which needs application changes to point to the service.
  • Private DNS name feature allows consumers to use AWS service public default DNS names which would point to the private VPC endpoint service.
  • Interface Endpoints can be used to create custom applications in VPC and configure them as an AWS PrivateLink-powered service (referred to as an endpoint service) exposed through a Network Load Balancer.
  • Custom applications can be hosted within AWS or on-premises (via Direct Connect or VPN)
  • Interface Endpoints are billed per hour per AZ provisioned, plus per-GB data processing charges. See AWS PrivateLink Pricing.

Cross-Region PrivateLink (GA November 2024)

  • AWS PrivateLink now supports native cross-region connectivity, breaking the previous limitation that VPC endpoints were regional-only.
  • As a service consumer, you can privately connect to VPC endpoint services hosted in other AWS Regions within the same partition, without cross-region peering or exposing data to the public internet.
  • As a service provider, you can offer your endpoint service to customers in all Regions from a single Region without deploying infrastructure in each Region.
  • Cross-region connectivity for custom endpoint services (customer-hosted) launched Nov 2024.
  • Cross-region connectivity for AWS services (e.g., S3, ECR, Route 53) launched Nov 2025.
  • Traffic remains on the AWS backbone and does not traverse the public internet.
  • Available within the same AWS partition (commercial, GovCloud, China) across all supported Regions.

VPC Resource Endpoints (GA December 2024)

  • Resource Endpoints are a new type of VPC endpoint introduced at re:Invent 2024 that provide private access to specific VPC resources across accounts.
  • Resource Endpoints allow you to privately access a resource (e.g., an RDS database, EC2 instance, IP address, or domain name) in another VPC without requiring a Network Load Balancer.
  • A VPC resource is represented by a resource configuration, which is associated with a resource gateway.
  • Resources can be shared across accounts using AWS Resource Access Manager (RAM).
  • Supports TCP traffic only (UDP is not supported).
  • Network connections must be initiated from the VPC containing the resource endpoint (unidirectional).
  • Currently supported ARN-based resources include Amazon RDS instances.
  • Also supports connectivity to any resource by IP address or domain name target.
  • DNS names are automatically provisioned with format: endpoint_id.rcfgId.randomHash.vpc-lattice-rsc.region.on.aws
  • Private DNS is supported for ARN-based resources (e.g., RDS), allowing continued use of the resource’s original DNS name.
  • Supports IPv4, IPv6, and dual-stack addressing.
  • Integrates with Amazon VPC Lattice for advanced service networking scenarios.
  • Billed per hour per endpoint provisioned, plus per-GB data processing. Resource gateways billed per-GB data processed.

Gateway Load Balancer Endpoints

  • Gateway Load Balancer (GWLB) Endpoints provide private connectivity between your VPC and network virtual appliances (firewalls, IDS/IPS, deep packet inspection) deployed in a service provider VPC behind a Gateway Load Balancer.
  • GWLB Endpoints serve as an entry/exit point in your VPC for traffic inspection.
  • Used as a target in route tables to transparently route traffic through security appliances.
  • Each GWLB endpoint can support up to 10 Gbps per AZ and auto-scales up to 100 Gbps.
  • Supports ingress routing from Internet Gateway and Virtual Private Gateway for inline traffic inspection.
  • Commonly used in centralized security inspection architectures with AWS Transit Gateway.

S3 VPC Endpoints Strategy

S3 is now accessible with both Gateway Endpoints and Interface Endpoints.

  • Gateway Endpoint – Free, route-table based, same-Region only, no on-premises or cross-region access. Recommended for most in-Region workloads.
  • Interface Endpoint – Hourly + per-GB charges, ENI-based, accessible from on-premises (via Direct Connect/VPN), across VPC peering, Transit Gateway, and now cross-region (via Cross-Region PrivateLink, Nov 2025).
  • Both Gateway and Interface VPC Endpoints for S3 now support IPv6 (November 2025).

S3 Strategy - VPC Gateway Endpoints vs VPC Interface Endpoints

VPC Endpoint Policies & Security

  • VPC Endpoint policies control which AWS principals can use the endpoint to access the service.
  • Endpoint policies can be attached to Gateway, Interface, and Resource endpoints.
  • Security groups can be attached to Interface and Resource endpoints to control inbound/outbound traffic.
  • New IAM Condition Keys (August 2025) for organization-wide network perimeter controls:
    • aws:VpceAccount – Restrict requests based on the account that owns the VPC endpoint.
    • aws:VpceOrgID – Restrict based on the AWS Organization ID of the endpoint owner.
    • aws:VpceOrgPaths – Restrict based on organizational unit paths of the endpoint owner.
  • These new keys complement the existing aws:sourceVpce and aws:sourceVpc condition keys and enable scalable network perimeter controls across entire AWS Organizations without hard-coding VPC endpoint IDs.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have an application running on an Amazon EC2 instance that uploads 10 GB video objects to amazon S3. Video uploads are taking longer than expected inspite of using multipart upload cause of internet bandwidth, resulting in poor application performance. Which action can help improve the upload performance?
    1. Apply an Amazon S3 bucket policy
    2. Use Amazon EBS provisioned IOPS
    3. Use VPC endpoints for S3
    4. Request a service limit increase
  2. What are the services supported by VPC endpoints, using Gateway endpoint type? Choose 2 answers
    1. Amazon S3
    2. Amazon EFS
    3. Amazon DynamoDB
    4. Amazon Glacier
    5. Amazon SQS
  3. What are the different types of endpoint types supported by VPC endpoints? Choose 2 Answers [Note: As of 2024, AWS now supports additional endpoint types including Resource Endpoints and Gateway Load Balancer Endpoints. This question reflects the original SAA exam scope.]
    1. Gateway
    2. Classic
    3. Interface
    4. Virtual
    5. Network
  4. An application running on EC2 instances processes sensitive information stored on Amazon S3. The information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 is a security risk. Which solution will resolve the security concern?
    1. Access the data through an Internet Gateway.
    2. Access the data through a VPN connection.
    3. Access the data through a NAT Gateway.
    4. Access the data through a VPC endpoint for Amazon S3.
  5. You need to design a VPC for a three-tier architecture, a web application consisting of an Elastic Load Balancer (ELB), a fleet of web/application servers, and a backend consisting of an RDS database. The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the least components are exposed to Internet?
    1. Two public subnets for ELB, two private subnets for the web-servers, two private subnets for RDS and DynamoDB
    2. Two public subnets for ELB and web-servers, two private subnets for RDS and DynamoDB
    3. Two public subnets for ELB, two private subnets for the web-servers, two private subnets for RDS and VPC Endpoints for DynamoDB
    4. Two public subnets for ELB and web-servers, two private subnets for RDS and VPC Endpoints for DynamoDB
  6. A company needs to access Amazon S3 buckets in a different AWS Region privately without exposing traffic to the public internet. Which solution should they use?
    1. Use Gateway VPC Endpoints for cross-region S3 access
    2. Use Interface VPC Endpoints with Cross-Region PrivateLink for S3
    3. Set up VPC peering between regions and use Gateway Endpoints
    4. Use AWS Direct Connect with public VIF
  7. A SaaS provider needs to give customers in multiple AWS accounts private access to an Amazon RDS database without deploying a Network Load Balancer. Which solution meets this requirement?
    1. Create a VPC peering connection to each customer account
    2. Use an Interface VPC Endpoint with an NLB in front of the RDS instance
    3. Create a resource configuration for the RDS instance and share it via AWS RAM, allowing customers to create Resource Endpoints
    4. Use AWS Transit Gateway to connect all customer VPCs
  8. A security team wants to ensure that all API requests from their AWS Organization pass through their organization’s VPC endpoints, without hard-coding individual endpoint IDs in policies. Which approach should they use?
    1. Use aws:sourceVpce condition key with wildcard values
    2. Use aws:sourceVpc condition key listing all VPC IDs
    3. Use aws:VpceOrgID condition key to validate requests originate from endpoints owned by their organization
    4. Create a custom IAM policy for each VPC endpoint

References

AWS PrivateLink – VPC Endpoints

Access VPC Resources through AWS PrivateLink

AWS Announces Access to VPC Resources over PrivateLink (Dec 2024)

AWS PrivateLink Cross-Region Connectivity (Nov 2024)

Cross-Region PrivateLink for AWS Services (Nov 2025)

IPv6 for Amazon S3 VPC Endpoints (Nov 2025)

New VPC Endpoint IAM Condition Keys (Aug 2025)

Gateway Load Balancer Endpoints