AWS VPC Endpoint

Deploying your application in the AWS VPC which doesn’t have an internet connection by default, and the application is required to communicate with S3 service for reading the files and writing the files, in this scenario to make the application communicate with S3, we need a route for public internet using either NAT Gateway, Internet Gateway, or AWS Direct Connect. What if you don’t want to expose any requests being made inside this application to go through the internet?, here comes the concept of VPC Endpoints.

An AWS VPC endpoint is a service offered by AWS VPC, which lets customers privately connect to supported AWS services and VPC endpoint services powered by AWS PrivateLink, and by using VPC Endpoints we don’t require public IP addresses for Amazon VPC instances to communicate with the resources of the service, and this network traffic between an Amazon VPC and an AWS service does not leave the Amazon network, which is our exact requirement.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available Amazon VPC components that allow communication between instances in an Amazon VPC and services without imposing availability risks or bandwidth constraints on network traffic.

AWS VPC endpoints provides a secure and private communication between the resources within the Amzon VPC and AWS Services without having the requirement of Internet access. They comes with consisting interface endpoints for the AWS services through the services can be accessed through the private links and gateway endpoints for Amazon S3 and DynamoDB. It uses Elastic Network Interfaces (ENIs) for connectivity. Through its architecture it facilitates enhanced security within the AWS network and improves the performance byreducing the latency and bandwidth constraints associated with internet based communication.

There are two types of VPC endpoints we’ve:

1. Gateway Endpoints 
2. Interface Endpoints

1. Gateway Endpoints

A VPC Gateway Endpoint is a way to connect your VPC to an AWS service like S3 or DynamoDB without going through the public internet or needing to set up a VPN connection. This helps improve security and can also improve network performance since the traffic stays within the AWS network.

So if we want to utilize S3 or DynamoDB services inside VPC using Gateway Endpoints is recommended over Internet Gateway, NAT, or any other service, as this method also improves security, and latency for the application traffic.

2. Interface Endpoints

Interface endpoints enable connectivity to services over AWS PrivateLink. These services include some AWS managed services, services hosted by other AWS customers and partners in their own Amazon VPCs (referred to as endpoint services), and supported AWS Marketplace partner services. The owner of a service is a service provider. The principal creating the interface endpoint and using that service is a service consumer.

Shared Subnets are the network segments in a subnetted network that is accessible to multiple users. It often available in a private virtual cloud (VPC), facilitating the resource sharing among the different users or accounts. It facilitates with prompting the efficient resource utilization and collaboration in the shared subnets that requires strong network access control measures. It maintains the data privacy, security and other compliances.

The following are the step by step guide for creating AWS VPC Endpoints:

Step 1: Login in to AWS Management Console

• Go the AWS Management Console of AWS Account and login with your credentials
• After login in to your Account you will be landed on the Console Home.

Step 2: Navigate to AWS VPC Dashboard

• Search for “AWS VPC” in the search panel.
• On clicking on AWS VPC, you will be directed to AWS VPC Dashboard Page.

Step 3: Select Endpoints from the Navigation Pane

• In this VPC Dashboard, locate to the “Endpoints” option in the navigation pane.
• Choose the VPC Endpoints at the left panel. Click on Create Endpoint.

Step 4: Create Endpoint

• On Clicking on the create Endpoint button, it starts the creation process of endpoint.

Step 5: Choose Service

Select the AWS service for which you want to create a VPC Endpoint such as it can be any AWS Services like Amazon S3, AWS DynamoDB or others. Here we are choosing Amazon S3 in particular “com.amazonaws.ap-south-1.s3“

Step 6: Configure Endpoint

• Configure the endpoint settings including the VPC and subnet where the endpoint should reside and any security groups to attach to the endpoint.
• Update the Policy if you wanna restrict access through this endpoint or else leave Full Access. Click on Create.

• Endpoint route, and now you will be able to interact with S3 Service, here instead of traversing the traffic through a After attaching the endpoint to the route tables, the subnets which have that route table will have access to S3 now.

Step 7: Review and Create

• Now we can create an EC2 instance with the VPC and the subnet which has an Amazon S3 public IP address (internet), it will be traversed via VPC endpoint.

Step 8: Verify Endpoint Creation

• Once the endpoint has created, verify its status in the Endpoints dashboard. It should shows as “Available” if the creation was successful.

Step 9: Test Endpoint

• Finally test the endpoint by attempting to access the associated AWS Service from the resources within your VPC. If you configured the correctly the endpoint should allow secure and private communication with the AWS Service without requiring the internet access.

Service providers are the entities that offers the services or resources to the other entities within the system. In Cloud Computing or distributed systems. Service providers generally involves cloud service providers ( Such as AWS, Azure or Google Cloud ) offering various services compute, storage, networking and more. These providers deploy and manage the infrastructure necessary to deliver their services ensuring the availability, scalability and reliability.

Service Cosnumers are the entities or users that utilizes the services provided by service providers to meet their business or operational needs. It can be individual users, applications or organizations that leverage the capabilities offered by the service providers to accomplish the tasks, run applications, store data or access the resources. It act as a interactive with service providers through a well-defined interfaces such as APIs, or protocols by consuming the services offered according to the requirements.

AWS PrivateLink Connections provide a secure and private communication between the Virtual Private Clouds or on-premises networks. It also provides the secure private communication between AWS services of different regions or accounts. It uses Elastic Network Interfaces (ENIs) to establish private connections allowing the resources within the VPCs to access the AWS Services like Amazon S3, DynamoDB, or AWS Lambda as if they hosted within the same VPC.

Private Hosted Zones are the DNS Zones that are managed within the Amazon Route53. It facilitates with resolving the Domain names to private IP addresses within the VPC. It enables the resolution of Domain names to the private IP addresses for the resources within the same VPC or connected networks with providing the seamless and secured way of service access privately. It enhances the security and reduces the risk of exposure to the public internet.

The following are the list of AWS VPC Key services:

• 1. Amazon VPC: It facilitates us in creating and managing the virtual networks in the cloud including the configuring subnets, route tables and network access control lists (ACLs)
• 2. VPC Peering: It supports us to connect the VPCs within the same AWS region allowing the resources in different VPCs to communicate with each other securely.
• 3. VPC Endpoints: It provides the private connectivity between the AWS Services without requirement of internet access. It improves the security and reduces the data transfer costs.
• 4. VPC Connects: It allows us to establish a private secure connection between your on-premise network and your VPC using VPC technology.
• 5. Direct Connect: It offers the dedicated network connection between your on-premises data center and AWS providing higher band-width and lower latency compared to the VPC Connections.

The following is the simplified pricing table of the AWS VPC Endpoints:

The following are the differences between AWS VPC Endpoint and AWS Endpoint Service:

The following are the examples of AWS VPC Endpoints:

1. Amazon S3 Endpoint: It allows the VPC resources to securely accessible for Amazon S3 Buckets without internet exposure and it enhances the security for data storage and retrival.

2. DynamoDB Endpoint: It provides the communication between VPC resources and Amazon DynamoDB tables. It ensure secure and prviate access to the NoSQL database Service.

3. SNS Endpoint: It comes with facilitating the private communication between the VPC resources and Amazon simple Notification service (SNS).

4. SQS Endpoint: It provides the private access to the Amazon Simple Queue Servie (SQS) from within a VPC. It allows the resources to send and receive the messages securely without the internet connectivity.

What Is The Difference Between AWS Transit Gateway And VPC Endpoint?

AWS transit gateway is two establish the connection between internal VPC’s of AWS and the on premises and  VPC endpoint will helps to AWS services without help of internet gateway. 

What Is The Difference Between VPC Endpoint And Gateway Load Balancer?

VPC endpoint will helps to AWS services without help of internet gateway. Load balancer will be deployed in AWS VPC which will distribute the traffic to multiple AWS EC2 instances. 

How many VPC Endpoints can a VPC have?

A VPC can have a multiple endpoints including the interface endpoints and gateway endpoints. It allows the secure communication with various AWS Services.

What is the difference between PrivateLink and VPC Endpoints?

Private Link is a technology that offers their services to other AWS accounts via private connections while the VPC endpoints facilitates with private connectivity to AWS services from within a VPC.

What is the difference between VPC endpoint and VPC gateway?

VPC endpoints provide the private connectivity to specific AWS Services from within a VPC whereas VPC Gateways such as internet and VPN gateways enable the communication between a VPC and external networks.

What is AWS VPC Endpoint for Amazon S3?

AWS VPC Endpoint for Amazon S3 is an enable resources within a VPC to securely access the Amazon S3 buckets without the internet exposure. It enhances the security for data storage and retrivals.