VPC Endpoints
Start course
2h 25m

This section of the Solution Architect Associate learning path introduces you to the core networking concepts and services relevant to the SAA-C03 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking services to meet specific design scenarios relevant to the Solution Architect Associate exam. 

Want more? Try a lab playground or do a Lab Challenge

Learning Objectives

  • Get a foundational understanding of VPCs, their security, and connectivity
  • Understand the basics of networking including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
  • Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront

Hello and welcome to this lecture covering VPC Endpoints.

VPC Endpoints allow you to privately access AWS services using the AWS internal network instead of connecting to such services via the internet using public DNS endpoints. This means that you can connect to the supported services without configuring an Internet Gateway, NAT Gateway, a Virtual Private Network or a Direct Connect connection.

There are 2 types of VPC Endpoints: Interface Endpoints and Gateway Endpoints.

Interface Endpoints are essentially ENIs that are placed within a subnet that act as a target for any traffic that is being sent to a supported services and operates through the use of PrivateLink. PrivateLink allows a private and secure connection between VPCs, AWS services, and on-premises applications, via the AWS internal network.

As an example of supported services, this list only shows a very small subset of what’s available via an Interface Endpoint.

One point to make is that when an interface endpoint is configured within your chosen subnet, the service that it is associated with is NOT able to initiate a connection through to your VPC, communication across this interface HAS to originate from within your VPC first before a response can be made by the service.

You might be wondering how you connect and make use of the endpoints, and the process is seamless to the end user when working with AWS services. When an interface endpoint is created for a service, a specific DNS hostname is created and is associated with a private hosted zone in your VPC. Within this hosted zone a record set for the default DNS name of the service is created resolving to the IP address of your interface endpoint. As a result, any applications using that service already does not need to be reconfigured, requests to that service using the default DNS name will now be resolved to the private IP address of the interface endpoint and will route through the internal AWS network instead of the internet.

A Gateway Endpoint is a target that is used within your route tables to allow you to reach supported services, currently the only supported services using a Gateway Endpoint are Amazon S3 and DynamoDB, but this like is likely to change over time to please ensure you check the latest supported services.

During the creation of your Gateway endpoint you will be asked which route tables within your VPC should be updated to add the new Target of the gateway endpoint. Any route table selected with then have a route automatically added to include the new Gateway Endpoint. The entry of the route will have a prefix list ID of the associated service (Amazon S3 or DynamoDB) and the target entry will be the VPC Endpoint ID, examples of these are shown on screen. You should also be aware that GateWay Endpoint only works with IPv4.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.