Gateway vs Interface VPC Endpoints

Concepts Covered

• Gateway endpoints
• Interface endpoints
• AWS PrivateLink
• Endpoint network interfaces
• Route table association
• Service prefix lists
• Private DNS
• Endpoint security groups
• Endpoint policies
• S3 and DynamoDB endpoint traps

1. Plain-English Mental Model

Gateway endpoints and interface endpoints are both VPC endpoints, but they are built differently.

A gateway endpoint is a route table path. It says, "when traffic is going to this AWS service prefix list, send it to this endpoint target."

An interface endpoint is a private network interface in your subnet. It says, "connect to this private IP address in the VPC, and AWS PrivateLink carries the traffic to the service."

The short model is:

gateway endpoint = route table target for S3 and DynamoDB
interface endpoint = PrivateLink ENI for supported services

For the exam, this is one of the cleanest networking distinctions to memorize because it explains routing, security, DNS, and cost at the same time.

2. Why This Service Exists

Private workloads need to call AWS services without becoming internet clients.

S3 and DynamoDB are high-volume regional services. Gateway endpoints give VPC subnets a direct route-table based path to those services without a NAT device or internet gateway requirement.

Many other AWS services expose APIs through PrivateLink. Interface endpoints give private workloads a private IP path to those APIs, often without changing application code if private DNS is enabled.

The two endpoint types exist because not every service integrates with VPC networking in the same way.

For SAA-C03, endpoint type matters because the wrong endpoint type creates the wrong answer even if "VPC endpoint" sounds broadly correct.

3. The Naive Approach And Where It Breaks

The naive approach is to say:

private AWS service access -> create a VPC endpoint

That is too vague.

If the service is S3 or DynamoDB and the question asks for least-cost private access, the answer is usually a gateway endpoint. If the service is Secrets Manager, KMS, STS, Systems Manager, CloudWatch Logs, or ECR, the answer is usually an interface endpoint.

Another mistake is creating an endpoint and forgetting the path mechanics.

Gateway endpoints require route table association. If a private subnet's route table is not associated with the gateway endpoint, instances in that subnet do not use it.

Interface endpoints require subnet placement, security groups, DNS behavior, and sometimes endpoint policies. If private DNS is off, SDK calls to the standard public service name may not resolve to the endpoint.

4. Core Primitives

A gateway endpoint has these important primitives:

• service name, usually S3 or DynamoDB
• VPC
• associated route tables
• AWS-managed prefix list route
• endpoint policy

A route table associated with the gateway endpoint receives a route like:

destination = service prefix list
target = gateway endpoint

An interface endpoint has these important primitives:

• service name
• selected subnets
• endpoint network interfaces
• private IP addresses
• security groups
• private DNS option
• endpoint policy when supported

For every selected subnet, AWS creates an endpoint network interface. Clients connect to those private IPs, usually through DNS.

5. Architecture Use Cases

Use an S3 gateway endpoint for private subnet workloads that read and write S3 objects in the same Region without NAT.

Use a DynamoDB gateway endpoint for private subnet applications that call DynamoDB APIs without NAT.

Use interface endpoints for AWS service APIs such as KMS, Secrets Manager, STS, CloudWatch Logs, ECR, Systems Manager, and many others.

Use interface endpoints for private access to endpoint services exposed by another account or provider through AWS PrivateLink.

Use endpoint policies to restrict the endpoint path. For example, an S3 endpoint policy can limit which buckets are reachable through the endpoint, while IAM and bucket policies still decide final access.

Use private DNS for interface endpoints when applications already call standard AWS service endpoints through SDKs and you want those names to resolve privately inside the VPC.

7. Security Model

Gateway endpoints are controlled through route tables, endpoint policies, IAM, resource policies, and workload security controls.

Security groups do not attach to gateway endpoints. The workload security group still needs outbound access to the service, often expressible with the service prefix list where supported.

Interface endpoints are controlled through endpoint ENI security groups, endpoint policies where supported, IAM, resource policies, and private DNS.

The interface endpoint security group must allow traffic from the workloads that will use it. For HTTPS-based AWS service APIs, that commonly means inbound TCP 443 from workload security groups or CIDR ranges.

Endpoint policies are not magic. A permissive endpoint policy does not grant a role S3 access. A restrictive endpoint policy can block access even when IAM allows it.

For S3, bucket policies can restrict access to a specific VPC endpoint, which is a common exam-grade security move.

8. Reliability And Resilience

Gateway endpoints are managed and horizontally scaled by AWS. The important reliability step is associating every required route table.

Interface endpoints should be placed in the Availability Zones where clients run. A multi-AZ application should usually have endpoint ENIs in multiple AZs.

If workloads in AZ B use an endpoint ENI only in AZ A, the design can introduce cross-AZ dependency and cross-AZ data charges.

Private DNS should be tested during rollout. DNS changes can alter traffic paths for every client in the VPC that uses the standard service hostname.

Endpoint policies and security groups can create partial failures that look like service outages. Trace DNS, route, security group, NACL, endpoint policy, IAM, and resource policy separately.

9. Performance And Scaling

Gateway endpoints are efficient for S3 and DynamoDB service traffic because route tables send matching service traffic directly to the endpoint target.

Interface endpoints use PrivateLink and endpoint ENIs. They are managed, but architecture still matters: subnet placement, DNS resolution, and client traffic distribution affect the path.

Endpoints can reduce NAT load and isolate AWS service traffic from general outbound internet egress.

For high-volume S3 workloads, a gateway endpoint is often the simplest private path. For services that do not support gateway endpoints, interface endpoints are the normal private access path.

Endpoint choice does not remove service-level limits, API throttling, object request costs, or downstream service performance concerns.

10. Cost Model

Gateway endpoints for S3 and DynamoDB have no additional endpoint charge.

Interface endpoints generally have hourly charges and data processing charges.

NAT gateways also have hourly and data processing charges. Replacing eligible AWS service traffic with endpoints can reduce NAT usage.

The exam often expects the lowest-cost private access answer:

S3 or DynamoDB from private subnets -> gateway endpoint
many other AWS APIs privately -> interface endpoint

Do not over-optimize on price alone. Interface endpoints can be the right answer even if they cost money because they satisfy private connectivity and security requirements.

12. SAA-C03 Exam Signals

"S3 from private subnet without NAT" points to a gateway endpoint.

"DynamoDB from private subnet without NAT" points to a gateway endpoint.

"Route table association" points to gateway endpoint.

"Endpoint network interface" points to interface endpoint.

"Security group attached to the endpoint" points to interface endpoint.

"Private DNS for AWS SDK calls" points to interface endpoint.

"AWS PrivateLink" usually points to interface endpoints, endpoint services, or related PrivateLink endpoint types.

13. Common Exam Traps

Do not choose interface endpoint just because the word "private" appears when the service is S3 and the requirement is lowest-cost same-Region VPC access.

Do not choose gateway endpoint for KMS, Secrets Manager, STS, CloudWatch Logs, or most AWS APIs.

Do not forget gateway endpoint route table association.

Do not forget interface endpoint security groups.

Do not assume private DNS is always enabled or always safe to change without testing.

Do not assume endpoint policies replace IAM, bucket policies, or KMS key policies.

Do not confuse Gateway Load Balancer endpoints with gateway endpoints for S3 and DynamoDB. They are different endpoint types used for different architecture problems.

15. Related Topics

Review VPC Endpoints And PrivateLink, NAT Gateway vs VPC Endpoints, Amazon S3, and Amazon DynamoDB.

Official AWS references:

• Gateway endpoints
• Access an AWS service using an interface VPC endpoint
• Configure an interface endpoint