What Is Gateway endpoint in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A gateway endpoint is like a door between two different networks. It lets devices in one network talk to devices or services in another network, even if they use different languages or addresses. This is common in cloud computing, where a private network connects to a public cloud service. The gateway endpoint handles all the translation and routing so the connection is secure and works smoothly.
Common Commands & Configuration
aws ec2 create-vpc-endpoint --vpc-id vpc-0abc123def456 --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-0def789ghi012 --policy-document file://s3-endpoint-policy.jsonCreates a Gateway Endpoint for S3 in the specified VPC, associating it with a specific route table and attaching a custom policy from a JSON file.
This command tests your knowledge of the --route-table-ids parameter (required for Gateway Endpoints) and the --policy-document option (optional but recommended). On the exam, you may need to recall that Gateway Endpoints use route tables, not subnets directly.
aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=com.amazonaws.us-east-1.s3 --query 'VpcEndpoints[*].{Id:VpcEndpointId,State:State,RouteTableIds:RouteTableIds}'Describes all Gateway Endpoints for S3 in the us-east-1 region, showing their IDs, states, and associated route tables.
This is a common troubleshooting command. The exam may test your ability to filter and query the correct fields. Also note that Gateway Endpoints do not have NetworkInterfaceIds or SubnetIds fields like Interface Endpoints.
aws ec2 create-vpc-endpoint --vpc-id vpc-0abc123def456 --service-name com.amazonaws.us-east-1.dynamodb --route-table-ids rtb-0def789ghi012 --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"dynamodb:GetItem\",\"Resource\":\"*\"}]}"Creates a Gateway Endpoint for DynamoDB with a policy that only allows GetItem actions.
DynamoDB Gateway Endpoints are less common but directly tested. Remember that DynamoDB uses the same com.amazonaws prefix, and you can inline a JSON policy with escaped quotes. The exam may ask which service supports Gateway Endpoints for DynamoDB.
aws ec2 describe-route-tables --filters Name=route-table-id,Values=rtb-0def789ghi012 --query 'RouteTables[].Routes[?DestinationCidrBlock==`pl-12345678`]'Lists routes in a route table that have a destination matching a prefix list (e.g., pl-12345678 for S3). This confirms the Gateway Endpoint route is present.
Prefix list IDs (pl-) are used for Gateway Endpoint routes. You must know that the route destination is not a CIDR but a prefix list. On the exam, you may need to identify whether a route is for a Gateway Endpoint or an Internet Gateway.
aws ec2 modify-vpc-endpoint --vpc-endpoint-id vpce-0abc123def456 --add-route-table-ids rtb-0xyz789lmn012 --remove-route-table-ids rtb-0def789ghi012Modifies an existing Gateway Endpoint by adding a new route table association and removing an old one, enabling traffic from additional subnets.
You can modify Gateway Endpoints to change route table associations or update policies. The exam may ask how to extend private S3 access to a new subnet without recreating the endpoint.
aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.us-east-1.s3Lists details about the S3 VPC endpoint service, including its type (Gateway) and supported regions.
This command checks the service type. The exam expects you to know that com.amazonaws.*.s3 and com.amazonaws.*.dynamodb are the only Gateway-type services. Interface types have different service names (e.g., com.amazonaws.*.execute-api).
aws s3api get-bucket-policy --bucket my-bucket --query Policy --output text | jq '.["aws:SourceVpc"]'Retrieves the S3 bucket policy and checks for the aws:SourceVpc condition that may be used to restrict access to a specific VPC Gateway Endpoint.
This is an advanced security troubleshooting step. The exam may test how to enforce that S3 access only comes from a Gateway Endpoint using the aws:SourceVpc or aws:SourceVpce condition keys.
aws ec2 create-vpc-endpoint --vpc-id vpc-0abc123def456 --service-name com.amazonaws.us-east-1.s3 --vpc-endpoint-type Gateway --route-table-ids rtb-0def789ghi012 --no-private-dns-enabledCreates a Gateway Endpoint explicitly specifying the type (Gateway) and disabling private DNS (though Gateway Endpoints don't use private DNS, this flag is required for interface endpoints).
The --vpc-endpoint-type parameter is optional for Gateway (default) but you must know that Interface requires the flag. The --no-private-dns-enabled flag is irrelevant for Gateway Endpoints but still accepted. This is a trick the exam might use.
Gateway endpoint appears directly in 31exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Gateway endpoints appear in several certification exams, though with different emphasis and depth. Understanding how each exam tests this concept can help you focus your studies.
For the AWS Certified Solutions Architect – Associate (AWS-SAA), gateway endpoints are a primary topic. The exam directly tests your knowledge of VPC Gateway Endpoints, their use cases (private access to S3 and DynamoDB), how to configure them via route tables, and their differences from Interface Endpoints and Gateway Load Balancers. You will see scenario questions that ask you to choose the best way to connect a private subnet to an AWS service without traversing the internet. You must understand that Gateway Endpoints are free, scale automatically, and use the AWS backbone. Questions often compare Gateway Endpoints to NAT Gateways, Internet Gateways, and VPC Peering.
In Microsoft Azure exams, specifically AZ-104 (Azure Administrator), the concept of Service Endpoints and Private Endpoints is highly relevant. While Azure does not use the term "Gateway Endpoint" directly, Service Endpoints serve a similar role. The exam tests when to use Service Endpoints versus Private Endpoints, how to configure them on subnets and storage accounts, and the security implications. You might be asked to allow a VM in a VNet to access an Azure Storage account only from that subnet, which is achieved by enabling a Service Endpoint and then restricting the storage account firewall to that VNet.
For CompTIA Network+ (N10-008), gateway endpoints are covered under the broader topic of network infrastructure and routing. The term "default gateway" is a core concept, and questions often ask about the role of a gateway in sending traffic to external networks. You need to understand that a default gateway is a type of gateway endpoint that allows a host to communicate outside its local subnet. Network+ may also cover cloud concepts like VPC and service gateways, though at a higher level.
CompTIA Security+ (SY0-601) touches on gateway endpoints from a security perspective. You will see questions about secure architecture, where a gateway endpoint acts as a security boundary. You may be asked how to protect data in transit using a VPN gateway or a cloud service endpoint. Understanding that gateway endpoints can enforce encryption, provide access control, and log traffic is useful for these questions.
Cisco CCNA (200-301) covers gateway endpoints under the topic of "gateways" and "default gateways." You must know how to configure a default gateway on a switch or a router. The exam also covers virtual gateways in the context of SD-WAN and cloud. While CCNA does not focus on cloud-specific endpoints like AWS VPC Gateway Endpoints, the foundational concept of a gateway as a router that connects different networks is essential.
Google Associate Cloud Engineer (Google-ACE) exam includes similar concepts. Google Cloud uses "VPC Peering" and "Private Google Access" but also has "Private Services Access" which is similar to gateway endpoints. Understanding how to connect a VPC to Google-managed services like Cloud Storage or BigQuery over the internal network is tested.
In all these exams, gateway endpoints are often part of scenario-based questions where you must choose the right architecture. Common question patterns include: "A company wants to reduce data transfer costs while accessing a cloud storage service from their VPC. Which solution would you recommend?" Or "How do you securely allow an on-premises network to access an Azure database without exposing it to the public internet?" The correct answer usually involves some form of gateway endpoint.
Therefore, for exam success, it is vital to understand not just the definition, but also the trade-offs between different gateway endpoint types, their cost implications, security features, and configuration steps. Focusing on comparative analysis and troubleshooting will give you a strong edge.
Simple Meaning
Imagine you live in a house with a very strict security system. Inside your house, everyone speaks English and uses a specific set of rules. Outside, the world speaks many different languages and uses different rules. To get something from outside into your house, you need a person at your front door who can understand the outside world, translate what is coming in, check that it is safe, and then pass it along inside. That person is the gateway endpoint.
In computing, a gateway endpoint serves the same purpose. It sits at the edge of a network, acting as the single entry and exit point for data traveling to and from another network. This other network might be the internet, a different corporate network, or a cloud service like Amazon S3 or Azure Storage. The gateway endpoint has a specific address, like an IP address, that other networks can send data to. When data arrives, the gateway checks the security rules, translates the data format if needed, and forwards it to the correct destination inside the local network.
A key idea is that the gateway endpoint is not just a simple pipe. It is a smart device that can do several jobs at once. It can act as a translator, converting between different networking protocols. For example, your home network might use IPv4 addresses, but the cloud service might require IPv6. The gateway endpoint handles that conversion. It also acts as a security guard, allowing only authorized traffic in and out. It can log every connection, filter out harmful data, and even block certain types of traffic. This is why gateway endpoints are often combined with firewalls and other security tools.
Another important point is that a gateway endpoint is a specific type of endpoint. An endpoint, in general, is any device that communicates on a network, like a laptop, a server, or a printer. A gateway endpoint is a special kind of endpoint that serves as a bridge between networks. You can think of it as a border crossing between two countries. The border checkpoint is the gateway endpoint, and the officials there check passports, ask questions, and let people through only if they meet the rules.
In the world of cloud certifications, the term "gateway endpoint" often appears in the context of Amazon Web Services (AWS) and Microsoft Azure. AWS offers VPC Gateway Endpoints that let you privately connect your Virtual Private Cloud (VPC) to services like S3 and DynamoDB without going over the internet. Similarly, Azure has Service Endpoints and Private Endpoints that serve a similar role. Understanding gateway endpoints is crucial for building secure and efficient hybrid or cloud-only networks.
So, the simple meaning is that a gateway endpoint is a smart, secure door between your network and another network. It handles translation, security, and routing so that data can flow safely and correctly. It is a foundational concept for anyone studying networking or cloud computing certifications.
Full Technical Definition
A gateway endpoint is a network entity that acts as an intermediary between two networks that may operate on different protocols, addressing schemes, or security domains. In the OSI model, a gateway typically operates at Layer 4 (Transport) and above, often up to Layer 7 (Application). Unlike a simple router, which forwards packets based on IP addresses, a gateway endpoint can perform protocol translation, data reformatting, and higher-level security inspection.
At its core, a gateway endpoint is a hardware or software device with at least two network interfaces: one interface connects to the source network (the internal or client network), and the other connects to the destination network (the external or cloud network). Each interface is assigned an IP address, and the gateway maintains routing tables that direct traffic between these interfaces. When a packet arrives at the source interface, the gateway inspects the packet, determines its destination, applies any configured security policies, performs necessary protocol translation, and then forwards the packet out through the destination interface.
One common implementation is in Virtual Private Cloud (VPC) environments, such as AWS VPC Gateway Endpoints. AWS VPC Gateway Endpoints are specifically designed for accessing services like Amazon S3 and DynamoDB from within a VPC without using public internet. They leverage AWS’s internal network, using the AWS PrivateLink technology. When a VPC Gateway Endpoint is created, AWS adds a route in the VPC route table that directs traffic destined for the service’s public IP addresses to the endpoint. The endpoint then processes this traffic and forwards it to the service over AWS’s internal backbone. This avoids the need for an Internet Gateway, NAT device, or VPN tunnel. The endpoint is horizontally scaled, redundant, and does not require a separate instance or appliance to manage.
In Azure, the equivalent is an Azure Service Endpoint or a Private Endpoint. A Service Endpoint enables a direct, private connection from an Azure VNet to supported Azure services (e.g., Azure Storage, SQL Database). The service endpoint uses a virtual IP address that is part of the service’s public address range but only accessible from within the VNet. Traffic from the VNet to the service stays on the Microsoft Azure backbone network. A Private Endpoint, on the other hand, assigns a private IP address from the VNet to the service, making it appear as a native part of the VNet. Both are types of gateway endpoints in a broader sense.
From a protocol perspective, gateway endpoints often handle Network Address Translation (NAT), Port Address Translation (PAT), and even Application-level gateway (ALG) functions. For example, a gateway endpoint can inspect an FTP session and dynamically open ports for data transfer, or it can convert between SIP (Session Initiation Protocol) for VoIP and other signaling protocols. In security contexts, gateway endpoints integrate with firewalls to perform stateful inspection, intrusion detection/prevention (IDS/IPS), and deep packet inspection (DPI). They can also enforce policies based on user identity, application type, or content.
In traditional on-premises networking, a gateway endpoint is typically the default gateway, which is the router that connects a local network to the internet. In enterprise settings, gateway endpoints are often implemented as a cluster of firewalls or routers that provide high availability and load balancing. They can be physical appliances (Cisco ASA, Palo Alto Networks) or virtual appliances (VMware NSX Edge, AWS Gateway Load Balancer).
Key components of a gateway endpoint include: - Interface(s): Physical or virtual network cards with IP addresses. - Routing table: Determines the next hop based on destination. - Security policies: Access control lists (ACLs), firewall rules, NAT rules. - Protocol translators: Functions that convert between protocol versions (e.g., IPv4 to IPv6) or application protocols. - Logging and monitoring: Collects metadata about every connection for auditing and troubleshooting.
Gateway endpoints can also be used for hybrid cloud connectivity. For example, an AWS Transit Gateway can act as a hub gateway endpoint connecting multiple VPCs and on-premises networks via VPN or Direct Connect. This allows a single gateway endpoint to serve as the central point for all inter-network traffic, simplifying routing and security management.
the technical definition of a gateway endpoint is that it is a network function that provides connectivity, translation, and security between two or more distinct networks. It is a critical component in cloud architecture, enterprise networking, and security design. For IT certification exams, understanding the different types of gateway endpoints and how they operate is essential for designing and troubleshooting network infrastructure.
Real-Life Example
Think about a large airport. The airport itself is like a network of terminals, gates, runways, and operations centers. Inside the airport, everyone follows the same rules: pilots speak to control towers, baggage handlers use the same conveyor systems, and passengers move through security checkpoints. But the airport connects to the outside world, which includes other airports, airlines, and international travel regulations. The airport is like your private network.
Now, imagine an international flight arriving from a foreign country. That plane speaks a different language, maybe its crew files flight plans in a different format, and the passengers have different passports and visas. To enter the airport and connect to the local system, there is a special checkpoint called Customs and Border Protection. This is the gateway endpoint. It is the single point where all incoming traffic from the outside world must pass through before entering the airport's internal network.
The Customs officers at the gateway endpoint do several things. First, they check the flight manifest and compare it to the passenger list. This is like a security policy that checks if the source address and data are allowed. Then, they examine each passenger's passport and visa, which is like inspecting a packet header to verify it is authorized. If a passenger does not have the correct documents, they are turned away. This is like a firewall rule that drops unauthorized packets. If a passenger has special items like agricultural products or large amounts of cash, the officers might need additional processing. This is like protocol translation, where the data needs to be reformatted or inspected more deeply.
Once the passengers are cleared, they are allowed to proceed to the baggage claim and exit into the main airport terminal. This is like the traffic being routed into the internal network. But the airport also has outbound traffic: departing passengers and cargo going to other countries. They also go through the same gateway endpoint, but in reverse. The Customs officers check their documents, ensure they are not carrying prohibited items out, and then let them board the plane. This is like outbound traffic being inspected by the gateway endpoint before leaving the network.
Now, add cloud computing to the picture. Your company's network is like the airport's internal systems. Cloud services like Amazon S3 are like another airport across the ocean. Instead of flying your data through the public internet (which is like flying through open skies with potential turbulence and security risks), you set up a gateway endpoint that connects directly to the cloud service's private network. This is like a dedicated VIP lounge and private tunnel between the two airports. The gateway endpoint at your airport handles all the translation, security checks, and routing so that data can flow securely and efficiently without going through the public internet.
This analogy maps directly to the IT concept: the gateway endpoint is the single, secured point of entry and exit for traffic between two networks. It handles security (customs), translation (language of protocols), and routing (direction to the correct terminal). It protects the internal network by controlling exactly what comes in and goes out, and it simplifies connectivity by providing a known, stable address for external networks to reach you.
Why This Term Matters
Gateway endpoints are fundamental to modern network architecture, especially in cloud computing, because they define how different networks interact. For IT professionals, understanding gateway endpoints is critical for several practical reasons.
First, security. In any network, the gateway endpoint is a natural chokepoint where security policies can be enforced. By funneling all traffic between two networks through a single gateway endpoint, you can implement consistent security rules, monitor traffic, and detect anomalies. This is far more secure than having multiple paths or direct connections that bypass security controls. For example, with AWS VPC Gateway Endpoints, traffic to S3 stays inside the AWS network, avoiding the public internet and reducing the attack surface.
Second, cost and performance. Gateway endpoints often provide better performance and lower latency compared to connecting via public internet. Since traffic does not traverse the public internet, it is not subject to the same congestion, packet loss, or latency variations. Using gateway endpoints can reduce or eliminate data transfer costs. For instance, AWS charges no additional fee for data transfer through VPC Gateway Endpoints in many regions, whereas using an Internet Gateway or NAT Gateway incurs charges.
Third, simplicity and manageability. Instead of configuring complex VPN connections, NAT rules, and routing tables for each remote service, a gateway endpoint provides a single integration point. Once configured, the endpoint automatically routes traffic to the correct destination. This reduces administrative overhead and the chance of misconfiguration.
Fourth, compliance and auditing. Many regulations require that data traverses only approved paths and that all connections are logged. Gateway endpoints can provide detailed audit logs showing who connected, from which IP, to which service, and what data was transferred. This helps meet compliance requirements like HIPAA, PCI-DSS, and SOC 2.
Finally, gateway endpoints are a key topic in major IT certifications. Exams like AWS Certified Solutions Architect – Associate, Azure Administrator (AZ-104), CompTIA Network+, Security+, and Cisco CCNA all include questions about gateway endpoints, their configuration, and their role in network architecture. A solid grasp of this concept helps you answer scenario-based questions correctly and design better networks in the real world.
Without proper understanding of gateway endpoints, professionals risk building networks that are insecure, expensive, or difficult to manage. Ignoring this concept can lead to exposure of critical resources to the public internet, unexpected data transfer costs, and failed compliance audits. Therefore, gateway endpoints matter because they are a core building block of secure, efficient, and manageable network systems.
How It Appears in Exam Questions
Exam questions about gateway endpoints typically fall into three patterns: scenario-based selection, configuration steps, and troubleshooting.
Scenario-based selection: These questions present a business requirement and ask you to choose the correct service or configuration. For example, "A company runs a web application on EC2 instances in a private subnet. They need to upload large amounts of data to S3 without traversing the public internet. What should they use?" The correct answer is a VPC Gateway Endpoint. Another example: "An Azure VM needs to connect to an Azure SQL Database using the lowest latency while keeping traffic off the internet. Which option meets the requirement?" Answer: Enable a Service Endpoint on the VM's subnet for SQL. These questions test your knowledge of use cases and the ability to match features to requirements.
Configuration steps: Less common but still present, especially in AWS and Azure exams. You may be asked to drag and drop steps in the correct order to create a VPC Gateway Endpoint. For instance: Step 1: Create the endpoint in the VPC console. Step 2: Choose the service (e.g., S3). Step 3: Select the VPC and subnets. Step 4: Update the route table to point S3 traffic to the endpoint. In Azure, configuration steps might include: Step 1: Navigate to the subnet in the VNet. Step 2: Enable Service Endpoint for Microsoft.Storage. Step 3: Add the subnet to the storage account firewall. These questions demand precise knowledge of the console or CLI steps.
Troubleshooting: Questions describe a scenario where something is not working and ask you to identify the cause. For example, "An administrator created a VPC Gateway Endpoint for S3 but EC2 instances in the private subnet cannot access S3, even though the route table has a route to the endpoint. What is the most likely issue?" The answer might be that the S3 bucket policy does not allow access from the VPC endpoint, or that the security group of the EC2 instance does not allow outbound traffic to S3. Another common trap is forgetting to add the route table entry explicitly. In Azure, a typical troubleshooting question: "After enabling a Service Endpoint for Storage on the subnet, the VM still cannot access the storage account. What is missing?" Answer: The storage account firewall must be configured to accept traffic from that subnet.
You will also see comparisons. For example, "What is the difference between a VPC Gateway Endpoint and an Interface Endpoint in AWS?" Answer: Gateway endpoints only work with S3 and DynamoDB, are free, and use route table entries. Interface Endpoints cost money, use private IPs, and work with many services. In Azure, the comparison is between Service Endpoints (uses public IP ranges, free) and Private Endpoints (uses private IPs, costs money).
Another pattern is security-focused. You might be asked: "How can you restrict access to an S3 bucket so that only traffic from VPC Gateway Endpoints can read the data?" This tests understanding of bucket policies with the "aws:SourceVpce" condition key.
Finally, some questions incorporate cost considerations. For example, "Which solution reduces data transfer costs when accessing S3 from a VPC: Internet Gateway, NAT Gateway, or VPC Gateway Endpoint?" The correct answer is Gateway Endpoint because it is free and uses the internal network.
Understanding these question patterns helps you focus your study. For each exam, practice scenario-based questions that require you to choose between similar services. Make sure you can explain the trade-offs, not just memorize a single fact.
Practise Gateway endpoint Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: A small business has a web server running on an Amazon EC2 instance inside a Private Subnet in a VPC. The web server hosts a photo-sharing site, and users upload images that need to be stored in Amazon S3. The business wants to ensure that all data transfers between the EC2 instance and S3 remain within the AWS network to improve security and reduce data transfer costs.
Current setup: The VPC has a Public Subnet with a NAT Gateway, and the Private Subnet routes outbound internet traffic through the NAT Gateway. The EC2 instance in the Private Subnet can reach S3 via the NAT Gateway over the internet. However, this path goes through the public internet, which introduces latency and potential security risks. Also, data transfer through the NAT Gateway incurs per-GB costs.
Solution: You decide to create a VPC Gateway Endpoint for S3 in the same region as your VPC. You select the VPC and then add a route to the route table associated with the Private Subnet. The new route has a destination of the S3 service (using its prefix list) and a target of the Gateway Endpoint (endpoint ID). Once the endpoint is created and the route is added, the EC2 instance can access S3 directly over the AWS internal network. The data does not go through the NAT Gateway or the public internet. This reduces latency, improves security because traffic stays within AWS, and eliminates the data transfer costs through the NAT Gateway.
Testing: To verify the change, you can test connectivity from the EC2 instance to S3 using the AWS CLI. For example, you run 'aws s3 ls' and it successfully lists buckets. You can also check the route table to confirm the endpoint route is active. No changes are needed on the EC2 instance itself because the endpoint automatically handles the routing and authentication.
Result: The photo-sharing site now uploads images to S3 quickly and securely, and the monthly AWS bill decreases because data transfer through the NAT Gateway is eliminated. This scenario shows exactly why gateway endpoints are important for secure, cost-effective, and high-performance cloud architectures.
Common Mistakes
Thinking gateway endpoints only work for internet traffic
Gateway endpoints can also connect private networks, such as a VPC to a cloud service over the provider's backbone without ever touching the public internet.
Understand that gateway endpoints can route traffic internally within a cloud provider's network, not just to and from the public internet.
Confusing a gateway endpoint with a NAT Gateway
A NAT Gateway allows outbound internet traffic from private subnets but does not provide private connectivity to specific services. A Gateway Endpoint specifically connects to designated services (e.g., S3, DynamoDB) without going to the internet.
Remember: NAT Gateway = outbound internet access; Gateway Endpoint = private access to specific cloud services.
Assuming gateway endpoints automatically apply to all subnets in the VPC
You must explicitly add a route in each subnet's route table pointing to the endpoint for it to work. Subnets without that route will not use the endpoint.
Always check that the route table for the desired subnet includes a route to the gateway endpoint.
Thinking gateway endpoints are only available for AWS
Similar concepts exist in Azure (Service Endpoints, Private Endpoints) and Google Cloud (Private Services Access, Private Google Access). The term 'gateway endpoint' is often used generally.
Learn the equivalent concepts in other clouds. Understand the general principle of a private connection to a service.
Believing that gateway endpoints are always free
While AWS VPC Gateway Endpoints for S3 and DynamoDB are free, Azure Private Endpoints incur charges for data processing and Private Link. AWS Interface Endpoints also cost money.
Check the pricing model for each specific endpoint type. Free is not universal.
Failing to update security groups or bucket policies after creating a gateway endpoint
Even with a gateway endpoint, the destination service (like S3) may have its own policies that restrict access by IP or source. You need to allow the VPC or endpoint in the service's policy.
Always configure the resource-based policy of the service to accept traffic from the gateway endpoint or the VPC.
Exam Trap — Don't Get Fooled
{"trap":"When asked how to connect a private EC2 instance to S3 without internet, many learners choose a NAT Gateway instead of a VPC Gateway Endpoint, thinking the NAT Gateway is more general.","why_learners_choose_it":"NAT Gateways are familiar for providing outbound internet access to private instances. Learners often assume that accessing S3 requires internet, so they go with the NAT Gateway route."
,"how_to_avoid_it":"Remember that cloud services like S3 are available via internal endpoints. Look for keywords 'private connectivity', 'stay within the network', 'reduce data transfer costs' – those point to a Gateway Endpoint, not a NAT Gateway."
Commonly Confused With
A NAT Gateway allows instances in a private subnet to initiate outbound traffic to the internet but does not allow inbound traffic from the internet. A Gateway Endpoint specifically connects a VPC to a cloud service privately, without going to the internet.
To let a private EC2 instance download a file from an external website, use a NAT Gateway. To let it upload files to S3 privately, use a VPC Gateway Endpoint.
An Internet Gateway allows a VPC to communicate with the full internet (both inbound and outbound). A Gateway Endpoint only connects to a specific service and only works within the cloud provider's network.
To host a public website that receives visitors from the internet, attach an Internet Gateway to the VPC. To let a private instance access S3 without internet, use a Gateway Endpoint.
VPC Peering connects two VPCs directly using private IP addresses. A Gateway Endpoint connects a VPC to a specific service (like S3) but not to another VPC.
To connect VPC A to VPC B so instances can communicate directly, use VPC Peering. To connect VPC A to S3, use a Gateway Endpoint.
A VPN Gateway connects an on-premises network to a VPC over an encrypted tunnel over the internet. A Gateway Endpoint connects a VPC to a cloud service, not to an on-premises network.
To allow your office network to access resources in AWS, set up a VPN Gateway. To let your AWS VPC access S3 privately, use a Gateway Endpoint.
Interface Endpoints also provide private connectivity to AWS services, but they use Elastic Network Interfaces (ENIs) with private IPs and are charged per hour and per GB. Gateway Endpoints are free and use route table entries instead of ENIs.
To connect privately to SQS or SNS, you need an Interface Endpoint. To connect privately to S3, you can use a Gateway Endpoint (free) or an Interface Endpoint (paid).
Step-by-Step Breakdown
Identify the need
Determine which network needs to connect to which service or external network. For example, a VPC needs private access to an S3 bucket.
Choose the endpoint type
Select the appropriate gateway endpoint service. In AWS, for S3 or DynamoDB, use a VPC Gateway Endpoint. In Azure, choose Service Endpoint or Private Endpoint based on cost and isolation needs.
Create the endpoint via console or API
Navigate to the endpoint creation wizard. Specify the VPC and the service you want to connect to. Optionally select subnets, though for Gateway Endpoints, you assign them via route tables later.
Configure route tables
Add a route in the route table of each subnet that needs access. The destination is the service’s prefix list (e.g., com.amazonaws.region.s3), and the target is the endpoint ID. This ensures traffic to the service is directed to the endpoint.
Update security groups and network ACLs
Ensure that security groups on the source instances allow outbound traffic to the service, and that network ACLs permit the traffic. For cloud services, security groups usually need an outbound rule for HTTPS (443) to the destination.
Configure the service’s access policy
On the service side (e.g., S3 bucket policy), add a condition that restricts access to only the VPC endpoint or VPC. This enhances security. For example, use the aws:SourceVpce condition in S3 bucket policies.
Test connectivity
From a resource in the subnet, try to access the service (e.g., run aws s3 ls). If it fails, check route table entries, security groups, and service policies. Also verify that the endpoint is in 'available' state.
Monitor and audit
Use VPC Flow Logs or Azure Monitor to see if traffic is flowing through the endpoint. Confirm that the data path is private (no public internet involved). Adjust policies as needed based on usage patterns.
Practical Mini-Lesson
Let us dive deeper into how gateway endpoints work in practice, what professionals need to know, and common pitfalls.
A gateway endpoint is not a device you install, but a logical object that the cloud provider manages. In AWS, when you create a VPC Gateway Endpoint for S3, AWS sets up a distributed infrastructure that includes multiple highly available endpoints. You do not need to assign an IP address to it; instead, the endpoint is identified by its ID (e.g., vpce-xxxx). The key operational detail is the route table entry. Without a route in the subnet’s route table that points to the endpoint, the endpoint simply does nothing. This is a common point of failure: admins create the endpoint but forget to add the route, then wonder why connectivity does not work.
Another practical point is endpoint policies. You can attach an AWS IAM policy directly to the endpoint to restrict which resources or actions are allowed. For example, you can create an endpoint policy that only allows GetObject on a specific S3 bucket. This provides an additional layer of security. Professionals often combine endpoint policies with bucket policies to enforce least privilege.
In Azure, a Service Endpoint is enabled at the subnet level. This changes the routing behavior so that traffic to the Azure service is directed over the Microsoft backbone. However, the service still sees traffic coming from the public IP range of the service, not from a private IP inside the VNet. This means you cannot use private IP-based firewall rules on the service side. To get true private IPs, you need a Private Endpoint, which uses a network interface in the VNet. The cost difference is significant: Service Endpoints are free, Private Endpoints incur charges.
What can go wrong? Common issues include: incorrect route table configuration, missing endpoint policies, security group rules that block outbound traffic, and service firewall settings that reject traffic from the endpoint. For example, in Azure, if you enable Service Endpoint on a subnet but forget to add the subnet to the storage account’s firewall rules, the storage account will still block the traffic because it does not recognize the subnet as a valid source. In AWS, a similar issue occurs if the S3 bucket policy does not have an explicit allow for the VPC endpoint.
Another real-world consideration is that gateway endpoints do not support multicast or broadcast traffic. They are unicast only. Also, you cannot use a gateway endpoint to connect to services in a different region; they are region-specific. For cross-region access, you need an Interface Endpoint or other solutions.
Professionals also need to understand that gateway endpoints are not suitable for all services. In AWS, only S3 and DynamoDB support Gateway Endpoints. For other services like Kinesis, SQS, or Lambda, you must use Interface Endpoints or public connections. In Azure, Service Endpoints work with many services, but not all; for example, Azure App Service requires a Private Endpoint.
Finally, monitoring is critical. Use VPC Flow Logs to verify that traffic is flowing through the endpoint and not via the internet. You can also use AWS CloudTrail to log API calls made through the endpoint. In Azure, use NSG flow logs and Azure Monitor for similar insights. Understanding these operational aspects will help you not only pass exams but also manage real cloud networks effectively.
Understanding Gateway Endpoint and Its Core Use Case
A Gateway Endpoint is a type of VPC Endpoint in Amazon Web Services that provides private connectivity from within a Virtual Private Cloud to specific AWS services over the AWS network, without traversing the public internet. Unlike Interface Endpoints, which use Elastic Network Interfaces and private IP addresses for services like API Gateway or CloudWatch, Gateway Endpoints are specifically designed for Amazon S3 and DynamoDB. They are conceptually simpler: they attach to a route table in your VPC and add a target for the service's prefix list. When traffic destined for the service matches that route, it is routed directly to the service via the AWS global backbone, bypassing internet gateways, NAT gateways, or VPN connections.
The primary use case for Gateway Endpoints is secure, low-latency access to S3 buckets and DynamoDB tables from within a VPC, especially when compliance requirements mandate that data never leave the AWS network. This is critical for workloads such as analytics pipelines that store intermediate results in S3, or serverless applications that read and write to DynamoDB. By using a Gateway Endpoint, you eliminate the need for public IP addresses on your instances and avoid data transfer costs over the internet. In the context of the AWS Certified Solutions Architect Associate exam, Gateway Endpoints are a high-value topic because they are a cost-effective and secure method for private connectivity. You should understand that they work at the route table level and do not use DNS resolution changes by default, unlike Interface Endpoints, which use Route 53 private hosted zones. Gateway Endpoints are free to create, though standard data transfer charges apply when traffic flows through them within the same region.
Exams also test the distinction between Gateway Endpoints and Interface Endpoints. Gateway Endpoints support only S3 and DynamoDB, while Interface Endpoints support over 100 services (though historically fewer at launch). Another key exam point is that Gateway Endpoints are not supported for cross-region access; they only work within the same region as the VPC. Gateway Endpoints do not support AWS PrivateLink-based services, those require Interface Endpoints. When you create a Gateway Endpoint, AWS automatically adds a prefix list (S3 prefix or DynamoDB prefix) to your route table, and you can control access via VPC Endpoint Policies, which are JSON documents that restrict what actions principals in the VPC can take on the service. This enables fine-grained security, such as allowing only read access to S3 from specific instances.
In the CCNA and Network+ exams, the concept of route-based connectivity is similar to policy-based routing, but Gateway Endpoints are specific to cloud. The AZ-104 exam for Azure covers Azure Private Link, which is analogous but differs in implementation. The Google ACE exam covers Private Google Access, which is a similar concept for on-premises or VM-to-Google-service connectivity. Understanding Gateway Endpoints helps you compare cloud networking models across platforms. Overall, Gateway Endpoints are a fundamental building block for secure, direct, and cost-optimized cloud architecture.
Gateway Endpoint vs Interface Endpoint: Key Differences for Exams
One of the most frequently tested distinctions in cloud networking exams is the difference between Gateway Endpoints and Interface Endpoints. Gateway Endpoints, as noted, are exclusively used with Amazon S3 and DynamoDB. They are not IP-based at the endpoint level; instead, they rely on route table entries that point to the service’s prefix list. Interface Endpoints, in contrast, are powered by AWS PrivateLink and create an Elastic Network Interface inside your VPC with a private IP address. This allows you to access supported services (like Amazon SNS, SQS, Kinesis, and many SaaS partner services) using private IPs, and you can enable Private DNS for seamless name resolution.
From a cost perspective, Gateway Endpoints are free, you pay only for standard data transfer charges when accessing S3 or DynamoDB through them. Interface Endpoints incur hourly charges plus data processing fees, making Gateway Endpoints more economical for high-volume S3 and DynamoDB traffic. This cost difference is a common exam scenario: when asked to choose the cheapest way to connect a VPC to S3 privately, the answer is always a Gateway Endpoint.
Security-wise, Gateway Endpoints support VPC Endpoint Policies (resource-based policies) that allow you to restrict actions, principals, and conditions. Interface Endpoints also support endpoint policies, but they additionally rely on Security Groups attached to the ENI, giving another layer of control. Gateway Endpoints cannot have Security Groups attached directly; their security is handled at the route table (controlling which subnets can use the endpoint) and via the policy. In the A+ and Security+ exams, you may be asked about the security implications of different endpoint types. Gateway Endpoints are considered more secure for S3 because traffic never leaves the AWS network and you can enforce a policy that only allows access to specific buckets.
Another critical difference is how they handle DNS resolution. Interface Endpoints, when configured with Private DNS, automatically resolve the default service DNS names (e.g., s3.us-east-1.amazonaws.com) to the private IP of the ENI. Gateway Endpoints do not change DNS resolution; they rely on the route table to intercept traffic destined for the service’s public IP range. This means if you need to access S3 from a VPC using the standard S3 endpoint URLs, you must ensure the traffic is routed correctly via the Gateway Endpoint. On exams, this often appears as a scenario where a Gateway Endpoint is configured but the S3 requests still go over the internet, the cause is usually missing or incorrect route table entries, or the traffic originates from a subnet not associated with the route table.
For cross-region access, Gateway Endpoints are region-scoped. You cannot create a Gateway Endpoint in one region and use it to access S3 buckets in another region. You would need a Gateway Endpoint in each region, or use an Interface Endpoint if supported (but S3 does not support cross-region Interface Endpoints either). Interface Endpoints are also region-specific but can be used with VPC Peering or Transit Gateway for inter-region traffic, though with added complexity.
In the AZ-104 exam, Azure’s Private Endpoint (for Private Link) is similar to Interface Endpoint, while Service Endpoints (which are deprecated) were more like Gateway Endpoints. Understanding these parallels helps in multi-cloud exam preparation. The Google ACE exam has Private Google Access for on-premises and VPC Private Services for Google APIs. Knowing when to use Gateway Endpoint versus Interface Endpoint is a cornerstone of VPC networking questions. Always remember: S3 and DynamoDB are the two services that support Gateway Endpoints; all other services use Interface Endpoints. This simple rule will help you answer multiple-choice questions quickly.
Gateway Endpoint Policies: Fine-Grained Security Control
Gateway Endpoint Policies are JSON-based resource policies that you attach to a Gateway Endpoint to control what actions can be performed on the associated AWS service (S3 or DynamoDB) from within your VPC. These policies are a critical security feature in the AWS Shared Responsibility Model, enabling you to enforce least-privilege access even at the network layer. The policy can specify which IAM principals (users, roles, or accounts) can access the service, which actions are allowed or denied, and conditions such as IP address ranges, VPC IDs, or tags. This granularity is a favorite topic in the Security+ exam and the AWS SAA exam, where you must design secure VPC architectures.
A standard Gateway Endpoint policy for S3 might restrict access to only a specific bucket, deny all delete operations, or require that requests originate from a particular VPC. For example, you can create a policy that allows only GetObject and PutObject actions from your VPC, blocking ListBucket or DeleteObject to prevent data exfiltration. This is especially important in regulated industries like healthcare or finance. In an exam scenario, you might be asked to pick the policy that allows an EC2 instance in a private subnet to upload logs to S3 but not read other buckets. The correct answer will use the "Action": "s3:PutObject" and a condition that the bucket name matches a specific prefix.
For DynamoDB Gateway Endpoints, policies can restrict access to specific tables, deny certain operations like DeleteTable, or require HTTPS (which is already enforced by DynamoDB APIs). However, note that DynamoDB Gateway Endpoints are less commonly used because DynamoDB Accelerator (DAX) and Global Tables often require different architectural patterns. Nonetheless, the exam tests their existence and basic policy syntax.
One key point for exams: Gateway Endpoint Policies work in conjunction with IAM policies. If a principal in your VPC is allowed by an IAM policy but denied by the endpoint policy, the overall result is deny (explicit deny overrides allow). This is a classic security evaluation chain you must understand. Also, Gateway Endpoints do not support Security Groups or NACLs directly; the route table association is the only network-level control for which subnets can use the endpoint. To restrict traffic to specific instances, you use the endpoint policy with conditions on source IP or VPC endpoint ID.
In the CCNA and Network+ exams, you learn about ACLs and firewall rules; Gateway Endpoint policies are the cloud equivalent for service-level access control. The AZ-104 exam covers Azure Service Endpoint policies (now deprecated in favor of Private Link), but the concept of restricting service access at the network level is identical. For Google ACE, VPC Private Services with custom DNS requires similar policy thinking.
A common exam trap is the assumption that a Gateway Endpoint alone provides security, it does not. You must combine it with endpoint policies, correct route tables, and proper IAM permissions. If you create a Gateway Endpoint without a restrictive policy, any resource in the associated subnets can access any S3 bucket (if the IAM permissions allow). This is why always recommend attaching a least-privilege policy. The exam question might present a scenario where a company creates a Gateway Endpoint but still experiences a data breach because the endpoint policy allowed all actions. The solution is to add a condition to restrict access to only production buckets.
Gateway Endpoint Policies are powerful tools for implementing network-level security for S3 and DynamoDB. They are easy to audit, JSON-based, and can be attached at creation or modified later. Memorize the common patterns: allow specific resources, deny destructive actions, and condition on VPC ID. These will appear in your AWS SAA, Security+, and AZ-104 exams as part of firewall and access control scenarios.
Gateway Endpoint Troubleshooting and Cost Optimization Strategies
Troubleshooting Gateway Endpoints often involves connectivity issues where traffic between a VPC and S3 (or DynamoDB) still goes over the internet despite an endpoint being present. The most common cause is that the route table associated with the endpoint is not attached to the subnet where the instance resides. When you create a Gateway Endpoint, AWS automatically adds a route to the service’s prefix list with a target of the endpoint ID. However, this route is only visible in the route table you selected during endpoint creation. If your instance is in a subnet that uses a different route table, the traffic will fall back to the default route (e.g., an Internet Gateway or NAT Gateway). This is a classic exam scenario: the developer sees high data transfer costs and discovers that S3 traffic is going through the NAT Gateway. The solution is to associate the correct route table with the endpoint or move the instance to a subnet that uses that route table.
Another common issue is that the Gateway Endpoint policy is too restrictive, causing Access Denied errors even though IAM permissions are fine. For example, if the endpoint policy only allows requests from a specific VPC, but the request comes from a peered VPC or an on-premises network via AWS Direct Connect, it will be denied. You can add conditions to allow specific external VPCs or use a broader policy. The exam may ask you to diagnose why an on-premises application cannot reach S3 through a Direct Connect VIF and a Gateway Endpoint, the answer is that Gateway Endpoints only work for traffic originating from within the VPC (and associated subnets), not from on-premises. For on-premises access, you need an Interface Endpoint or a VPN with proper routing.
Performance and cost optimization are also tested. Gateway Endpoints are free, but data transfer charges apply. To optimize costs, ensure you do not have multiple Gateway Endpoints for the same service in the same VPC, you only need one per service, and it can be shared across subnets via route tables. Also, avoid using Gateway Endpoints when you can use VPC Peering or AWS Transit Gateway to reduce data transfer costs? Actually, Gateway Endpoints are the cheapest option for S3/DynamoDB within the same region. For cross-region, you must use S3 Transfer Acceleration or cross-region replication, but Gateway Endpoints won't help.
A troubleshooting clue for the AWS SAA exam: if an EC2 instance using a Gateway Endpoint can retrieve S3 objects but cannot list buckets, the endpoint policy likely allows GetObject but not ListBucket. This is intentional for security. Another clue: if you have multiple route tables, ensure that the Gateway Endpoint route does not conflict with a more specific route (e.g., a route to a NAT Gateway) that points to the same destination. The most specific route wins, so if you have a route to 0.0.0.0/0 with a NAT Gateway, and a route to the S3 prefix with the Gateway Endpoint, traffic to S3 will use the Gateway Endpoint (because prefix is more specific). But if you accidentally add a route for the same prefix to the NAT Gateway, it will create a conflict and AWS will remove the duplicate.
In the Network+ and CCNA exams, you learn about route prioritization and default gateways. This concept is directly applied here. The AZ-104 exam tests similar troubleshooting for Azure Private Link: connectivity issues often stem from incorrect DNS resolution or network security groups. For Google ACE, VPC Private DNS is a common pain point.
Another cost optimization tip: use Gateway Endpoints to avoid NAT Gateway data processing costs for S3 and DynamoDB traffic. Many enterprises migrate their data pipelines to use Gateway Endpoints specifically to reduce monthly bills. In an exam, you might be asked to design a cost-effective solution for a data lake that ingests data into S3 from EC2 instances in private subnets. The answer should include a Gateway Endpoint over a NAT Gateway because the NAT Gateway incurs hourly charges and per-GB processing fees, whereas the Gateway Endpoint has no hourly cost.
Finally, remember that Gateway Endpoints cannot be used with AWS PrivateLink or cross-account access directly. If you need to allow a different AWS account to access your S3 bucket through your VPC, you must use bucket policies or IAM roles, not the Gateway Endpoint alone. The endpoint policy only controls traffic within your own VPC. For multi-account scenarios, consider using an Interface Endpoint for S3 (now supported) or AWS Resource Access Manager.
troubleshooting Gateway Endpoints revolves around route tables, policies, and traffic origination. Cost optimization is clear: use them for S3 and DynamoDB to avoid costly NAT gateways. Master these points, and you'll ace the networking sections of cloud exams.
Troubleshooting Clues
Gateway Endpoint not routing S3 traffic as expected
Symptom: EC2 instance in private subnet still uses the NAT Gateway or Internet Gateway to reach S3, causing high costs and slower speeds.
The route table associated with the Gateway Endpoint must be attached to the subnet where the instance resides. If the instance is in a subnet using a different route table, the Gateway Endpoint route is not present, and traffic falls back to the default route (e.g., 0.0.0.0/0 to IGW or NAT). Also, ensure the Gateway Endpoint is in the same region and the service name matches the region exactly.
Exam clue: Exam questions often give a scenario with a Gateway Endpoint created but still seeing NAT Gateway traffic. The correct answer is to check the route table association for the subnet.
Access denied when accessing S3 through Gateway Endpoint
Symptom: EC2 instance receives AccessDenied errors despite having proper IAM permissions and bucket policy allowing access.
The Gateway Endpoint policy may be too restrictive. For example, it might require the aws:SourceVpc condition to match a specific VPC ID, but the request is coming from a different VPC or from an on-premises network. Also, the endpoint policy might deny certain actions (like ListBucket) that are needed by the application. Check the endpoint policy JSON for any explicit denies or missing allowed actions.
Exam clue: In exams, the answer often involves modifying the endpoint policy to include the required actions or correct conditions. Look for keywords like 'endpoint policy' in the answer choices.
Gateway Endpoint shows 'pending' or 'failed' status
Symptom: After creating the Gateway Endpoint, it stays in a 'pending' state for more than a minute or transitions to 'failed'.
This usually indicates a network resource limit (e.g., too many endpoints in the VPC, or route table limit exceeded) or an invalid service name. Also, if the route table specified belongs to a different VPC, the endpoint creation fails. Check service quotas and verify the service name (e.g., com.amazonaws.us-east-1.s3). The route table must be in the same VPC as the endpoint.
Exam clue: Exam questions might ask why an endpoint failed to create. Look for answer choices related to cross-VPC route tables or service name typos.
Gateway Endpoint not working with VPC Peering or Transit Gateway
Symptom: An instance in a peered VPC cannot access S3 through a Gateway Endpoint that is in the central VPC.
Gateway Endpoints are scoped to a single VPC and its route tables. They do not propagate through VPC peering connections or Transit Gateway. For cross-VPC access to S3, you need either a Gateway Endpoint in each VPC (with separate route tables) or use an Interface Endpoint for S3 (which supports cross-VPC access via PrivateLink and Transit Gateway).
Exam clue: This is a classic trick: Gateway Endpoints only work within the same VPC, not across peering. The exam may offer a solution creating a Gateway Endpoint in each VPC or switching to Interface Endpoint.
Bucket policy condition 'aws:SourceVpce' not matching Gateway Endpoint
Symptom: S3 bucket policy uses aws:SourceVpce condition with the Gateway Endpoint ID, but requests from within the VPC are denied.
Gateway Endpoints do not support the aws:SourceVpce condition key correctly for all operations; they use aws:SourceVpc instead. The aws:SourceVpce condition key is intended for Interface Endpoints (PrivateLink). You should use aws:SourceVpc with the VPC ID for Gateway Endpoints.
Exam clue: This is a gotcha: 'aws:SourceVpce' works with Interface Endpoints, but for Gateway Endpoints, use 'aws:SourceVpc'. The exam may present both and ask you to choose the correct condition key.
High latency when using Gateway Endpoint for S3
Symptom: S3 access through Gateway Endpoint has higher latency than expected, sometimes similar to internet access.
Gateway Endpoints route traffic over the AWS backbone, but they rely on prefix list routes. If the VPC has multiple routes that match the S3 prefix (e.g., a more specific route via a VPN or Direct Connect), the traffic may take a suboptimal path. Also, if the endpoint is in a different Availability Zone than the workload, latency can increase. Ensure that the prefix list route is the most specific and that there are no conflicting routes.
Exam clue: Exam questions about performance issues with Gateway Endpoints might point to misconfigured routing or AZ mismatch. Consider route analysis and prefix list ordering.
DynamoDB requests slow or timing out through Gateway Endpoint
Symptom: DynamoDB queries from EC2 instances are slow or fail intermittently when using a Gateway Endpoint.
DynamoDB Gateway Endpoints have some limitations: they do not support all DynamoDB features like Global Tables or DAX. Also, the endpoint policy might be blocking certain operations (e.g., Scan requests if restricted). Network congestion in the VPC or throttling at the DynamoDB level could also be the cause. Check CloudWatch metrics for write and read capacity units.
Exam clue: On the exam, DynamoDB Gateway Endpoint troubleshooting often relates to policy restrictions or unsupported features. The solution may involve switching to an Interface Endpoint if DynamoDB Accelerator (DAX) is needed.
Memory Tip
Think 'G for Gateway, G for Go private' – Gateway Endpoints let you go directly to services without touching the internet, and they are often free (Good for your budget).
Learn This Topic Fully
This glossary page explains what Gateway endpoint means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →200-301Cisco CCNA →N10-009CompTIA Network+ →AZ-104AZ-104 →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →PCAGoogle PCA →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Quick Knowledge Check
1.Which two AWS services can be accessed via a Gateway Endpoint?
2.A developer created a Gateway Endpoint for S3 in a VPC but notices that data transfer costs remain unchanged, with traffic still going through the NAT Gateway. What is the most likely cause?
3.Which of the following statements is true about Gateway Endpoint policies?
4.An architect wants to reduce S3 data transfer costs from EC2 instances in private subnets. Which solution is most cost-effective?
5.An application hosted in a peered VPC cannot access an S3 bucket through a Gateway Endpoint in the central VPC. What should the architect do to resolve this?
6.When troubleshooting an Access Denied error on S3 through a Gateway Endpoint, which two places should you check first? (Choose two)