AWS Services
VPC Endpoints And PrivateLink
Understand VPC endpoints, gateway endpoints, interface endpoints, endpoint policies, and AWS PrivateLink for private service access.
After this, you will understand
Endpoints explain how private AWS workloads call AWS services without turning every private subnet into a NAT-dependent internet client.
VPC endpoints create private paths from a VPC to supported AWS services or endpoint services.
Learners think private subnets require NAT for every AWS API call, or confuse gateway endpoints with interface endpoints.
Use gateway endpoints for common S3 and DynamoDB private access, interface endpoints for PrivateLink-powered services, and policies to restrict what the path can reach.
Think before readingWhat is the usual endpoint type for private subnet access to S3 at no endpoint hourly charge?
Reading in progress
This page is saved in your local study history so you can continue later.
Study path
Read these in order
Start with the mechanics, then move into the patterns that explain why the system is shaped this way.
Concepts Covered
- VPC endpoints
- Gateway endpoints
- Interface endpoints
- AWS PrivateLink
- Endpoint policies
- Private DNS
- Route table associations
- Security groups for endpoints
- S3 and DynamoDB endpoints
- Exam traps around NAT
1. Plain-English Mental Model
VPC endpoints let resources in a VPC privately connect to supported AWS services or endpoint services.
Without endpoints, a private subnet instance often reaches AWS public service endpoints through a NAT gateway, or a public subnet resource reaches them through an internet gateway path. That can work, but it may not satisfy private connectivity, security, or cost requirements.
The simple model is:
private workload -> VPC endpoint -> AWS service
There are two main endpoint types for SAA-C03:
- gateway endpoints for Amazon S3 and DynamoDB
- interface endpoints for services powered by AWS PrivateLink
Gateway endpoints are route table targets. Interface endpoints are elastic network interfaces with private IP addresses in your subnets.
2. Why This Service Exists
Private subnets are useful because they avoid direct internet exposure. But applications in private subnets still need to call AWS services.
An EC2 instance may need S3 objects. A Lambda function in a VPC may need Secrets Manager. An ECS task may need CloudWatch Logs. A private application may need to call an internal service exposed by another VPC or account.
One answer is NAT. But NAT is broad outbound internet-style access and costs money. Endpoints provide a more specific private path to supported services.
For the exam, endpoint questions usually include phrases like "without traversing the public internet", "without NAT gateway", "private connectivity", "S3 from private subnet", "interface endpoint", "AWS PrivateLink", or "restrict access through endpoint policy."
3. The Naive Approach And Where It Breaks
The naive design sends every private subnet dependency through NAT:
private workload -> NAT gateway -> AWS public service endpoint
This adds cost and creates a broad outbound path. It may be necessary for external APIs, but it is not always necessary for AWS service calls.
Another naive design creates an endpoint and assumes permissions are solved. Endpoints create network paths. They do not automatically grant IAM permission to call the service or read the resource.
Another mistake is using the wrong endpoint type. S3 gateway endpoints are common for VPC-to-S3. Interface endpoints are needed for many other AWS services and for PrivateLink service exposure.
The right design separates network path, service support, route table or DNS behavior, endpoint policy, resource policy, and IAM permission.
4. Core Primitives
A gateway endpoint is associated with route tables. AWS adds routes for a service prefix list, such as S3 or DynamoDB, targeting the endpoint. There is no endpoint network interface for you to manage.
An interface endpoint creates elastic network interfaces in selected subnets. These ENIs have private IP addresses and use security groups. Private DNS can make normal service names resolve to the endpoint inside the VPC.
AWS PrivateLink is the technology behind interface endpoints and endpoint services. It lets consumers privately access services without requiring VPC peering, internet gateways, NAT, or overlapping CIDR fixes.
Endpoint policies can restrict what the endpoint can be used to access. Resource policies, such as S3 bucket policies, can restrict access to requests coming through specific endpoints.
Security groups apply to interface endpoints. Route tables apply to gateway endpoints.
5. Architecture Use Cases
Use an S3 gateway endpoint when EC2 instances in private subnets need S3 access without NAT.
Use a DynamoDB gateway endpoint when private workloads need DynamoDB access without NAT.
Use interface endpoints for services such as Secrets Manager, Systems Manager, CloudWatch Logs, ECR APIs, KMS, STS, and many other supported services.
Use PrivateLink endpoint services when one VPC, account, or organization wants to expose a service privately to consumers without opening public access or building full network connectivity.
In a locked-down private app, endpoints often replace NAT for AWS dependencies:
private ECS task
-> interface endpoint for ECR
-> interface endpoint for CloudWatch Logs
-> interface endpoint for Secrets Manager
-> gateway endpoint for S3
7. Security Model
Endpoints are network controls, not identity controls.
IAM policies still decide whether a principal can call the service action. Resource policies still decide whether a resource accepts the request. Endpoint policies can add another restriction layer.
For S3, a bucket policy can restrict access to a specific VPC endpoint. This helps prevent access from outside the expected private path.
For interface endpoints, security groups control which clients can connect to the endpoint ENI.
Private DNS can reduce application changes by letting standard service hostnames resolve to private endpoint addresses inside the VPC. Misconfigured DNS can make traffic use the wrong path.
Least privilege applies to all layers: workload role, endpoint policy, resource policy, KMS key policy if encryption is involved, and security group.
8. Reliability And Resilience
Gateway endpoints are managed and horizontally scaled. Associate them with every route table that needs the service path.
Interface endpoints should be placed in multiple Availability Zones when workloads in multiple AZs depend on them. If an app subnet in AZ B depends on an endpoint only in AZ A, you may create cross-AZ dependencies and data charges.
Endpoints do not make the target AWS service globally available if the service itself has a regional issue. They solve connectivity path, not every service availability concern.
For PrivateLink services, the provider's load balancer and target health matter. The endpoint can be reachable while the provider service is unhealthy.
Monitor endpoint usage, rejected connections, DNS, IAM errors, and service-specific metrics.
9. Performance And Scaling
Gateway endpoints are efficient for S3 and DynamoDB traffic from a VPC.
Interface endpoints use ENIs and PrivateLink. Throughput and scaling depend on the endpoint service and AWS-managed infrastructure, but you still need good AZ placement.
Endpoints can reduce NAT bottlenecks for AWS service traffic. They can also reduce exposure by limiting paths.
If applications make high-volume S3 requests, endpoint choice does not remove S3 request or data transfer considerations. It changes the network path.
PrivateLink can simplify connectivity where VPC peering or Transit Gateway would otherwise create routing complexity or CIDR overlap problems.
10. Cost Model
Gateway endpoints for S3 and DynamoDB do not have an additional endpoint charge.
Interface endpoints generally have hourly and data processing charges. They can still be cheaper or more secure than NAT depending on traffic and architecture.
NAT gateway costs can be significant for high-volume AWS service traffic. Replacing eligible traffic with endpoints can reduce cost.
PrivateLink provider and consumer costs depend on endpoint service configuration, endpoint hours, and data processing.
Cost questions often hide the answer in service support: S3 and DynamoDB gateway endpoint for lowest-cost private access; interface endpoint for many other services.
12. SAA-C03 Exam Signals
"Private subnet EC2 needs S3 without NAT" points to an S3 gateway endpoint.
"Private subnet app needs DynamoDB without NAT" points to a DynamoDB gateway endpoint.
"Private access to Secrets Manager, KMS, STS, ECR, or CloudWatch Logs" often points to interface endpoints.
"Expose a service privately to another VPC or account without peering" points to AWS PrivateLink.
"Overlapping CIDRs prevent VPC peering" can point to PrivateLink when the requirement is service access, not full network access.
"Restrict S3 bucket to access through endpoint" points to bucket policy conditions plus endpoint design.
13. Common Exam Traps
Do not assume NAT is required for every private subnet AWS service call.
Do not choose gateway endpoints for every service. Gateway endpoints are limited to supported services such as S3 and DynamoDB.
Do not forget route table association for gateway endpoints.
Do not forget security groups for interface endpoints.
Do not assume endpoints grant permission. IAM, resource policies, KMS policies, and endpoint policies still matter.
Do not use PrivateLink when the requirement is full bidirectional VPC networking. PrivateLink is service-oriented.
15. Related Topics
Review Private App Access To S3, VPC Networking Model, and Amazon S3.
Official AWS references:
What to study next
These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.
Prerequisites
Read these first if the mechanics feel unfamiliar.
More Links
Additional references connected to this page.