VPC Endpoints (Gateway & Interface)
Key concepts
Gateway endpoints for S3 and DynamoDB
Interface endpoints use PrivateLink
Gateway endpoints are free
Interface endpoints have hourly cost
Endpoint policies for access control
Overview
VPC Endpoints enable you to privately connect your VPC to supported AWS services and VPC endpoint services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Traffic between your VPC and the service does not leave the Amazon network.
Understanding VPC endpoints is critical for the SAA-C03 exam because they are a fundamental building block for secure, private architectures. You must know when to use Gateway endpoints vs Interface endpoints, their pricing implications, and how they integrate with other AWS services.
AWS PrivateLink is the underlying technology that powers Interface endpoints, Gateway Load Balancer endpoints, and Resource endpoints. It provides private connectivity to services as if they were running in your own VPC, eliminating exposure to the public internet.
For the exam, focus on the differences between endpoint types, when to use each, and the security and cost benefits they provide.
Key Concepts
Types of VPC Endpoints

AWS offers five types of VPC endpoints:
| Type | Powered by PrivateLink | Use Case |
|---|---|---|
| Gateway Endpoint | No | S3 and DynamoDB only |
| Interface Endpoint | Yes | AWS services, SaaS, custom services |
| Gateway Load Balancer Endpoint | Yes | Traffic inspection appliances |
| Resource Endpoint | Yes | Cross-VPC resource access (databases, EC2) |
| Service Network Endpoint | Yes | Amazon VPC Lattice services |
Gateway Endpoints
Gateway endpoints provide reliable connectivity to Amazon S3 and Amazon DynamoDB without requiring an internet gateway or NAT device.
Key Characteristics:
- FREE - No hourly charges, no data processing charges
- Works by adding entries to route tables
- Uses prefix lists (managed by AWS) as route destinations
- Does NOT use AWS PrivateLink
- Cannot be accessed from on-premises or peered VPCs in other regions
Destination Target
10.0.0.0/16 local
pl-63a5400a (S3) vpce-1234567890abcdef0
0.0.0.0/0 nat-xxx (or igw-xxx)Interface Endpoints (AWS PrivateLink)
Interface endpoints create an Elastic Network Interface (ENI) in your subnet with a private IP address. This ENI serves as an entry point for traffic destined to the supported service.
Key Characteristics:
- Uses AWS PrivateLink technology
- Creates ENI in each specified subnet
- Supports security groups
- Provides private DNS (optional)
- Can be accessed from on-premises via Direct Connect/VPN
- Costs: ~$0.01/hour per AZ + $0.01/GB data processed
Without Private DNS:
vpce-1234567890abcdef0-xxx.ec2.us-east-1.vpce.amazonaws.com
With Private DNS Enabled:
ec2.us-east-1.amazonaws.com → Resolves to private ENI IPGateway vs Interface: S3 Endpoint Comparison
Amazon S3 supports both Gateway and Interface endpoints:
| Feature | Gateway Endpoint | Interface Endpoint |
|---|---|---|
| Cost | FREE | ~$7.30/month/AZ + data |
| Access Method | Route table | ENI + DNS |
| On-Premises Access | No | Yes (via DX/VPN) |
| Transit Gateway | No | Yes |
| Cross-Region Peering | No | Yes |
| Security Groups | No | Yes |
| Endpoint Policies | Yes | Yes |
| Private DNS | N/A | Yes |
Recommendation: Use Gateway endpoint for S3/DynamoDB by default (it's free). Use Interface endpoint only when you need on-premises access or Transit Gateway routing.
How It Works
Gateway Endpoint Traffic Flow

- Application in private subnet makes request to S3
- Route table matches S3 prefix list → routes to Gateway endpoint
- Traffic stays on AWS backbone network (never touches internet)
- S3 responds via same path
Interface Endpoint Traffic Flow

- Application resolves service DNS (e.g.,
ec2.us-east-1.amazonaws.com) - Private DNS returns ENI private IP (e.g.,
10.0.1.50) - Traffic routes to ENI in subnet
- PrivateLink forwards traffic to AWS service
- Response returns via same path
Cross-Region Connectivity (New in 2025)
AWS PrivateLink now supports native cross-region connectivity to select AWS services:
Supported Services for Cross-Region:
- Amazon S3
- Amazon ECR (Elastic Container Registry)
- Amazon Route 53
When creating endpoint:
1. Select "Enable cross Region endpoint"
2. Choose target service region
3. Access service in another region privatelyThis eliminates the need for cross-region VPC peering or exposing traffic to the public internet.
Use Cases
Use Case 1: Private S3 Access (No Internet)
Scenario: EC2 instances in private subnets need to access S3 without internet connectivity.

Solution:
- Create S3 Gateway endpoint in VPC
- Associate with route tables for private subnets
- No NAT Gateway required
- Cost: FREE
aws ec2 create-vpc-endpoint \
--vpc-id vpc-1234567890abcdef0 \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-1234567890abcdef0Use Case 2: Private Access to AWS Services
Scenario: Lambda functions in VPC need to call Secrets Manager without internet access.

Solution:
- Create Interface endpoint for Secrets Manager
- Enable Private DNS
- Lambda resolves
secretsmanager.us-east-1.amazonaws.comto private IP - Cost: ~$7.30/month/AZ
Use Case 3: On-Premises Access to S3
Scenario: On-premises servers connected via Direct Connect need private S3 access.
Solution:
- Gateway endpoint won't work (not accessible from on-prem)
- Create S3 Interface endpoint
- Configure Direct Connect to route to VPC
- On-prem DNS resolves S3 to interface endpoint IP
- Traffic flows privately over Direct Connect
Use Case 4: Reduce NAT Gateway Costs
Scenario: High data transfer to S3 causing expensive NAT Gateway bills.
Cost Comparison:
| Method | Cost per GB |
|---|---|
| NAT Gateway | $0.045 |
| S3 Interface Endpoint | $0.01 |
| S3 Gateway Endpoint | FREE |
Solution: Replace NAT Gateway S3 traffic with Gateway endpoint (78-100% savings).
Endpoint Policies
Both Gateway and Interface endpoints support endpoint policies to control access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificBucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-company-bucket",
"arn:aws:s3:::my-company-bucket/*"
]
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFromSpecificVPC",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:sourceVpc": "vpc-1234567890abcdef0"
}
}
}
]
}Best Practices
Gateway Endpoint Best Practices
-
Create by default in every VPC
- S3 and DynamoDB Gateway endpoints are FREE
- AWS VPC creation wizard now offers this option
- Reduces NAT Gateway costs immediately
-
Associate with all private subnet route tables
- Ensure all private subnets can use the endpoint
- Don't forget new subnets added later
-
Use endpoint policies for security
- Restrict to specific S3 buckets
- Prevent data exfiltration to unauthorized buckets
Interface Endpoint Best Practices
-
Enable Private DNS when possible
- Applications work without code changes
- Service DNS resolves to private IP automatically
-
Deploy in multiple AZs for HA
- Each AZ has its own ENI
- Provides fault tolerance
- Consider cost implications (~$7.30/month/AZ)
-
Use security groups
- Control which resources can access the endpoint
- Restrict to specific application security groups
-
Consider consolidated endpoints
- Use VPC Lattice for service mesh scenarios
- Share endpoints across accounts with RAM
Cost Optimization
- Always use Gateway for S3/DynamoDB - It's free
- Consolidate interface endpoints - One endpoint serves entire VPC
- Evaluate necessity - Not all services need private endpoints
- Compare vs NAT Gateway - Interface endpoints are cheaper for high-volume services
Common Exam Scenarios
| Scenario | Solution | Why |
|---|---|---|
| Private S3 access from EC2 | Gateway endpoint | Free, works via route table |
| S3 access from on-premises via DX | Interface endpoint | Gateway not accessible from on-prem |
| Private Secrets Manager access | Interface endpoint | Only interface endpoints available |
| Reduce NAT Gateway S3 costs | Gateway endpoint | 100% cost savings |
| Access S3 via Transit Gateway | Interface endpoint | Gateway doesn't support TGW |
| DynamoDB access without internet | Gateway endpoint | Free, similar to S3 |
| Private ECR access for ECS | Interface endpoints (dkr, api, logs) | Requires multiple interface endpoints |
| Restrict S3 access to specific bucket | Endpoint policy | Control data access at endpoint |
Common Pitfalls
Pitfall 1: Using Interface Endpoint for S3 Unnecessarily
Mistake: Creating Interface endpoint for S3 when Gateway would work.
- Why it fails: Paying ~$7.30/month/AZ when free option exists
- Correct approach: Use Gateway endpoint unless you need on-prem access or Transit Gateway
Pitfall 2: Forgetting Route Table Association
Mistake: Creating Gateway endpoint but not associating with route tables.
- Why it fails: Traffic continues using NAT Gateway or fails
- Correct approach: Associate with all private subnet route tables
Pitfall 3: Not Enabling Private DNS
Mistake: Creating Interface endpoint without enabling Private DNS.
- Why it fails: Must use verbose endpoint-specific DNS names
- Correct approach: Enable Private DNS for seamless application integration
Pitfall 4: Single AZ Deployment
Mistake: Creating Interface endpoint in only one AZ.
- Why it fails: Single point of failure
- Correct approach: Deploy in multiple AZs (balance cost vs availability)
Pitfall 5: Missing Security Group Rules
Mistake: Interface endpoint security group blocks required traffic.
- Why it fails: Applications can't reach the endpoint
- Correct approach: Allow inbound HTTPS (443) from application security groups
Pricing Summary
Gateway Endpoints
| Component | Cost |
|---|---|
| Endpoint | FREE |
| Data transfer | FREE |
Interface Endpoints
| Component | Cost (us-east-1) |
|---|---|
| Per endpoint per AZ | |
| Data processed | $0.01/GB |
Cost Comparison Example
1 TB monthly S3 data transfer:
| Method | Monthly Cost |
|---|---|
| NAT Gateway | $45 + ~$35 (NAT) = $80+ |
| S3 Interface Endpoint | $10 + $7.30 = $17.30 |
| S3 Gateway Endpoint | $0 |
Related Services
Quick Reference
Common Service Endpoint Names
| Service | Gateway Available | Interface Endpoint Name |
|---|---|---|
| S3 | Yes | com.amazonaws.region.s3 |
| DynamoDB | Yes | com.amazonaws.region.dynamodb |
| EC2 | No | com.amazonaws.region.ec2 |
| Secrets Manager | No | com.amazonaws.region.secretsmanager |
| SSM | No | com.amazonaws.region.ssm |
| ECR (Docker) | No | com.amazonaws.region.ecr.dkr |
| ECR (API) | No | com.amazonaws.region.ecr.api |
| CloudWatch Logs | No | com.amazonaws.region.logs |
| KMS | No | com.amazonaws.region.kms |
| STS | No | com.amazonaws.region.sts |
CLI Commands
aws ec2 describe-vpc-endpoint-services \
--filters Name=service-type,Values=Interface Name=owner,Values=amazon \
--region us-east-1 \
--query 'ServiceNames'aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxx \
--service-name com.amazonaws.us-east-1.secretsmanager \
--vpc-endpoint-type Interface \
--subnet-ids subnet-xxx subnet-yyy \
--security-group-ids sg-xxx \
--private-dns-enabledQuiz Questions
A company needs to access S3 from EC2 instances in private subnets without using the internet. What is the most cost-effective solution?
An on-premises data center connected via Direct Connect needs private access to S3. Which endpoint type should be used?
Which VPC endpoint types are powered by AWS PrivateLink?
What must be associated with a Gateway endpoint for it to function?