This chapter covers VPC Gateway Endpoints for Amazon S3 and DynamoDB, comparing them with NAT Gateway/Instance for private subnet access. Understanding when to use Gateway Endpoints versus NAT is critical for cost optimization and security, and appears in approximately 10-15% of SAA-C03 exam questions. You will learn the mechanics of Gateway Endpoints, how they differ from Interface Endpoints and NAT, and how to configure and troubleshoot them. By the end, you'll be able to eliminate wrong answers that confuse endpoint types or overlook cost implications.
Jump to a section
Imagine a large office building with 100 employees (EC2 instances) in a private wing (private subnet). They need to communicate with two external services: the mail room (S3) in the same building and the archive room (DynamoDB) also in the building. The building has a strict security policy: no external entity can initiate contact with employees. For mail room and archive room access, the building installs a dedicated intercom system (Gateway Endpoint) directly connecting the private wing to these rooms. Each employee simply dials the intercom number, and the connection is made without ever leaving the building. The intercom is free to use, has no capacity limits, and does not require any external lines. Now, for accessing the external internet (e.g., software updates, external APIs), the building has a phone switchboard (NAT Gateway). When an employee needs to call out, they dial 9, then the external number. The switchboard picks up, records the employee's extension, replaces it with the single public phone number (EIP) of the building, and places the call. When the external party responds, the switchboard looks up its log and routes the call back to the correct extension. This switchboard costs money per minute and has a limited number of simultaneous calls. Critically, the intercom cannot reach external numbers, and the switchboard cannot reach the mail room—they are separate systems. The exam tests your ability to choose the right communication method based on destination and cost.
What are VPC Gateway Endpoints and Why Do They Exist?
A VPC Gateway Endpoint is a logical gateway component that allows instances within a VPC to access Amazon S3 or DynamoDB without traversing the public internet. It is a horizontally scaled, highly available service that uses AWS's internal network. The key motivation is cost and security: traffic to S3/DynamoDB via Gateway Endpoints incurs no data transfer charges (unlike NAT Gateway which charges per GB) and never leaves the AWS network, reducing exposure to internet-based threats.
How Gateway Endpoints Work Internally
Gateway Endpoints work by adding a prefix list to the VPC's route table. When you create a Gateway Endpoint for S3, AWS creates a prefix list (e.g., pl-6da54004 for S3 in us-east-1) representing the IP address ranges of S3 in that region. You then add a route in your route table pointing the prefix list to the endpoint ID (e.g., vpce-xxxx). When an instance in a private subnet sends a packet destined for S3, the VPC router matches the destination IP to the prefix list and forwards the packet to the Gateway Endpoint instead of the internet gateway. The endpoint then forwards the traffic to S3 over the AWS backbone. The response follows the reverse path. No NAT is needed, and the source IP of the instance is preserved (not translated), which is useful for S3 bucket policies that restrict access by VPC endpoint or source IP.
Key Components, Values, Defaults, and Timers
Prefix List: A managed set of CIDR blocks for a service. AWS updates it automatically when IP ranges change. You cannot modify it. The prefix list ID is region and service specific.
Route Table: You add a route with destination = prefix list ID and target = gateway endpoint ID. Only one route per endpoint per route table is needed.
Endpoint Policy: An IAM resource policy attached to the endpoint that controls which principals can access which S3 buckets or DynamoDB tables. Default allows full access. You can restrict by bucket, action, or source VPC.
No Data Transfer Charges: Traffic between VPC and S3/DynamoDB via Gateway Endpoint is free. Only standard S3/DynamoDB request charges apply.
No Availability Zone Dependencies: Gateway Endpoints are region-wide, not AZ-specific. They are highly available by default.
No Bandwidth Limits: Gateway Endpoints scale horizontally with traffic. No throttling at the endpoint level.
No DNS Changes: S3 and DynamoDB DNS names resolve to public IPs by default. To force traffic through the endpoint, you must either use a private DNS option (if using Interface Endpoint) or ensure route table has the prefix list route. For Gateway Endpoints, the public IPs are still used, but the route table entry ensures traffic goes through the endpoint.
Configuration and Verification
Creating a Gateway Endpoint (AWS CLI):
aws ec2 create-vpc-endpoint --vpc-id vpc-12345678 --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-12345678Adding a route to route table:
aws ec2 create-route --route-table-id rtb-12345678 --destination-prefix-list-id pl-6da54004 --vpc-endpoint-id vpce-12345678Verification:
- Check route table: aws ec2 describe-route-tables --route-table-ids rtb-12345678 — look for a route with destination prefix list ID and target vpce-xxx.
- From an instance, run curl -I https://s3.us-east-1.amazonaws.com — if the route is correct, the response should succeed. Use traceroute to see hops stay within AWS.
- Check endpoint state: aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-12345678 — status should be "available".
Interaction with Related Technologies
NAT Gateway: Used for internet access, not S3/DynamoDB. NAT Gateway charges per hour and per GB processed. If you accidentally route S3 traffic through NAT, you incur unnecessary costs.
Interface Endpoint (AWS PrivateLink): Another type of VPC endpoint that uses an Elastic Network Interface (ENI) in a subnet. Interface Endpoints are used for many AWS services (e.g., SNS, SQS, Kinesis) and support on-premises access via Direct Connect or VPN. They incur hourly charges and data processing fees. For S3/DynamoDB, Gateway Endpoint is cheaper and simpler.
S3 Bucket Policies: Can restrict access to only allow requests from a specific VPC endpoint. Use the aws:SourceVpce condition key. Example:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-12345678"
}
}
}VPC Peering: Gateway Endpoints cannot be accessed across a VPC peering connection. Each VPC needs its own endpoint. If you need cross-VPC access, use Interface Endpoint or Transit Gateway with appropriate routes.
Direct Connect/VPN: Gateway Endpoints are not accessible from on-premises networks via Direct Connect or VPN. For on-premises access to S3 via private IP, use Interface Endpoint or a proxy in the VPC.
Common Misconfiguration: Route Table Order
Route tables have a most specific match rule. If you have a route to 0.0.0.0/0 via NAT Gateway and a route to the S3 prefix list via Gateway Endpoint, traffic to S3 will match the more specific prefix list route. However, if you accidentally add a more specific route (e.g., a /16 that overlaps with S3 IPs) pointing to NAT, traffic could be misrouted. Always verify route table entries.
Performance and Scaling
Gateway Endpoints scale automatically with traffic. There is no need to provision capacity. AWS uses a distributed system that handles bursts. Latency is minimal because traffic stays within the AWS network. For very high throughput workloads (e.g., big data analytics), Gateway Endpoints perform well without additional cost.
Security Implications
Because traffic never leaves AWS, Gateway Endpoints reduce attack surface. However, you must still secure access with bucket policies and endpoint policies. The source IP of the instance is preserved, so you can restrict by VPC or subnet CIDR if needed. Also, Gateway Endpoints support VPC Flow Logs, so you can monitor traffic.
Create Gateway Endpoint
In the VPC console, navigate to Endpoints, click Create Endpoint. Select 'Gateway' type. Choose 'com.amazonaws.region.s3' or 'com.amazonaws.region.dynamodb'. Select the VPC. For S3, you must select at least one route table. The endpoint will automatically add a route to the selected route tables pointing the prefix list to the endpoint. If you don't select a route table now, you can add routes later. The endpoint policy defaults to full access. After creation, the endpoint state transitions from 'pending' to 'available' within a few seconds.
Verify Route Table Update
Check the route table(s) you selected. You should see a new route with destination as the prefix list ID (e.g., pl-6da54004) and target as the endpoint ID (e.g., vpce-xxxx). This route is more specific than the default route (0.0.0.0/0). Any traffic from subnets associated with this route table to S3 IPs will be directed to the endpoint. If you need to add additional route tables later, you can edit the endpoint and add them.
Test Connectivity from Instance
Launch an EC2 instance in a private subnet associated with the route table. SSH into it (via bastion host or Systems Manager). Run `aws s3 ls` (if CLI configured) or `curl -I https://s3.us-east-1.amazonaws.com`. If successful, traffic is flowing through the endpoint. Use `traceroute` to see the path — it should show internal AWS IPs. If it fails, check route table, security groups, and NACLs. Ensure the instance has outbound HTTPS (443) allowed. Also verify the endpoint state is 'available'.
Apply Endpoint Policy (Optional)
To restrict access, edit the endpoint and attach a custom policy. For example, to allow access only to a specific S3 bucket: `{"Statement": [{"Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]}]}`. This policy overrides any IAM policies? No, it works in conjunction. The effective access is the intersection of IAM and endpoint policy. You can also use conditions like `aws:SourceVpce` in bucket policies to enforce that requests come through the endpoint.
Monitor with VPC Flow Logs
Enable VPC Flow Logs on the subnet or ENI. You will see entries for traffic to S3/DynamoDB with the source IP of the instance and destination IP from the prefix list. The log will show ACCEPT records. This helps in auditing and troubleshooting. Note that Flow Logs do not capture traffic within the endpoint itself, only the traffic between the instance and the endpoint.
Enterprise Scenario 1: Data Lake Ingestion
A financial services company runs a data lake on Amazon S3. They have hundreds of EC2 instances in private subnets that constantly upload and download terabytes of data daily. Initially, they used a NAT Gateway for internet access, which also routed S3 traffic through the NAT. Their monthly NAT data processing charges exceeded $10,000. The network team created a Gateway Endpoint for S3 and added the route to all private route tables. After the change, NAT data processing dropped to near zero (only internet traffic remained). The team also applied an endpoint policy restricting access to specific S3 buckets used by the data lake. They used bucket policies with aws:SourceVpce condition to ensure only traffic from the endpoint could access the buckets. Result: $9,000/month savings and improved security. Misconfiguration risk: If they had forgotten to remove the S3 route from the NAT route table, traffic would have still gone through NAT, incurring charges. They verified by checking Flow Logs and seeing destination IPs in the S3 range.
Enterprise Scenario 2: Hybrid Backup with DynamoDB
A healthcare company uses DynamoDB for patient records. They have on-premises backup servers that need to write to DynamoDB. They use AWS Direct Connect to connect their on-premises network to the VPC. They need to access DynamoDB privately. Gateway Endpoints are not accessible from on-premises (they are VPC-only), so they use an Interface Endpoint (AWS PrivateLink) for DynamoDB instead. However, for EC2 instances within the VPC that process backups, they use a Gateway Endpoint for DynamoDB to avoid data transfer costs. The on-premises servers use the Interface Endpoint, paying per hour and per GB. This hybrid approach optimizes cost: VPC instances pay nothing for DynamoDB traffic, while on-premises traffic incurs Interface Endpoint charges. Common mistake: Trying to use Gateway Endpoint for on-premises access, which fails because the route table only applies to VPC traffic.
Scenario 3: Multi-Account Centralized Access
An enterprise uses AWS Organizations with multiple accounts. They want to centralize S3 access through a shared services VPC. They create a Gateway Endpoint in the shared services VPC. However, other VPCs (in other accounts) cannot use this endpoint directly because Gateway Endpoints are not transitive across VPC peering or Transit Gateway. Instead, they use Transit Gateway with a centralized NAT instance or a proxy. Alternatively, each VPC deploys its own Gateway Endpoint. The exam tests this limitation: Gateway Endpoints are VPC-scoped. For cross-account or cross-VPC access, use Interface Endpoints or a proxy.
SAA-C03 Exam Focus: VPC Gateway Endpoints vs NAT
The exam tests your ability to choose the most cost-effective and secure method for private subnet access to S3 and DynamoDB. The key objective is Cost Optimization (Objective 4.4). Approximately 10-15% of questions touch on VPC endpoints, often as part of a larger scenario. The exam expects you to know:
Gateway Endpoints are free (no hourly or per-GB charges).
NAT Gateway charges per hour and per GB processed.
NAT Instance has similar charges but also management overhead.
Gateway Endpoints are only for S3 and DynamoDB.
Interface Endpoints (PrivateLink) are for other services and incur charges.
Gateway Endpoints are not accessible from on-premises (Direct Connect/VPN) or across VPC peering.
Common Wrong Answers and Why Candidates Choose Them
"Use a NAT Gateway for private subnet access to S3." Candidates see "private subnet" and immediately think NAT. They forget that Gateway Endpoints exist. The exam will present a scenario where cost is a concern; the correct answer is Gateway Endpoint.
"Use an Interface Endpoint for S3." Candidates know about PrivateLink and think it's the only endpoint type. They don't realize Gateway Endpoints are available and cheaper. The exam tests this distinction: Interface Endpoints cost money, Gateway Endpoints are free.
"Gateway Endpoints can be used across VPC peering." Candidates assume endpoints work like any other VPC resource. The exam explicitly tests that Gateway Endpoints are not transitive. The correct answer is to create an endpoint in each VPC or use Interface Endpoint.
"NAT Gateway provides better security because it hides IPs." Candidates think NAT adds security. In reality, Gateway Endpoints preserve source IPs, which can be used for fine-grained bucket policies. Both are secure, but Gateway Endpoints are more cost-effective.
Specific Numbers and Terms on the Exam
Gateway Endpoint is free.
NAT Gateway charges: ~$0.045/hour + $0.045/GB processed (varies by region).
Interface Endpoint: ~$0.01/hour + $0.01/GB processed.
Services: Only S3 and DynamoDB support Gateway Endpoints.
Prefix list: e.g., pl-6da54004 for S3 in us-east-1.
Route table: Destination = prefix list ID, Target = vpce-xxx.
Endpoint policy: IAM resource policy.
Condition key: aws:SourceVpce.
Edge Cases and Exceptions
Dual-stack: Gateway Endpoints support IPv4 traffic only. For IPv6, you must use NAT64 or a proxy.
S3 Transfer Acceleration: Works with Gateway Endpoints? No, Transfer Acceleration uses edge locations and requires internet access. Gateway Endpoint traffic goes directly to S3 region endpoint.
Cross-Region Access: Gateway Endpoints are region-specific. To access S3 in another region, you must either use public internet (NAT) or Interface Endpoint (if supported).
Endpoint Policy Evaluation: If you attach a restrictive endpoint policy, it must allow the action. For example, if you deny s3:PutObject, then even if IAM allows it, the action fails.
How to Eliminate Wrong Answers
Identify the target service: Is it S3 or DynamoDB? If yes, Gateway Endpoint is an option.
Check cost constraints: If the scenario emphasizes cost savings, Gateway Endpoint is likely correct.
Check connectivity: If the source is on-premises or another VPC, Gateway Endpoint won't work.
Consider security: If bucket policies need to restrict by VPC, Gateway Endpoint allows aws:SourceVpce.
Look for keywords: "private subnet," "without internet," "reduce costs" → Gateway Endpoint. "On-premises," "Direct Connect" → Interface Endpoint or proxy.
Gateway Endpoints are free and only for S3 and DynamoDB.
NAT Gateway costs per hour and per GB; avoid using it for S3/DynamoDB traffic.
Gateway Endpoints use prefix list routes; NAT uses 0.0.0.0/0 route.
Gateway Endpoints preserve source IP; NAT hides it.
Gateway Endpoints are not transitive across VPC peering or on-premises.
Interface Endpoints (PrivateLink) are for other AWS services and incur charges.
Always check the destination service: if it's S3 or DynamoDB, prefer Gateway Endpoint for cost optimization.
Use bucket policies with aws:SourceVpce condition to enforce endpoint usage.
These come up on the exam all the time. Here's how to tell them apart.
Gateway Endpoint
Free of charge (no hourly or per-GB fees)
Only supports Amazon S3 and DynamoDB
Traffic stays within AWS network
Preserves source IP of instances
Uses prefix list route in route table
NAT Gateway
Charges per hour and per GB processed
Supports any internet destination
Traffic goes through internet gateway to public internet
Performs source NAT (masks private IPs)
Uses 0.0.0.0/0 route in route table
Mistake
Gateway Endpoints are not secure because traffic goes over the internet.
Correct
Gateway Endpoints use AWS's private network backbone. Traffic never traverses the public internet. The endpoint routes traffic internally, making it more secure than NAT which goes to the internet gateway.
Mistake
You need a NAT Gateway to access S3 from a private subnet.
Correct
This is false. A Gateway Endpoint allows direct, private access to S3 and DynamoDB without NAT. NAT Gateway is only needed for internet access to non-AWS services.
Mistake
Gateway Endpoints can be used to access S3 from on-premises via Direct Connect.
Correct
Gateway Endpoints are VPC-scoped and cannot be accessed from on-premises networks. For on-premises access, use an Interface Endpoint or a proxy in the VPC.
Mistake
Gateway Endpoints and Interface Endpoints are interchangeable.
Correct
They serve different services. Gateway Endpoints only for S3 and DynamoDB, are free, and use route table entries. Interface Endpoints are for many services, incur charges, and use ENIs with private IPs.
Mistake
Gateway Endpoints require a public IP on the instance.
Correct
No. Instances in private subnets without public IPs can still access S3/DynamoDB via Gateway Endpoint. The route table directs traffic to the endpoint without needing internet gateway.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, Gateway Endpoints are region-specific. They point to the service in the same region only. To access S3 in another region, you must either use a NAT Gateway/Instance to go over the internet, or use an Interface Endpoint if the service supports cross-region (S3 does not support Interface Endpoint for cross-region). The best practice is to use a Gateway Endpoint in each region where you have workloads.
The route with the most specific destination wins. The Gateway Endpoint route uses a prefix list that is more specific than 0.0.0.0/0, so traffic to S3 will go through the Gateway Endpoint. However, if you have a more specific route (e.g., a /16 that overlaps S3 IPs) pointing to NAT, traffic could be misrouted. Always verify route tables.
No, Gateway Endpoints support IPv4 only. For IPv6 traffic to S3 or DynamoDB, you must use a NAT64 (if your VPC has IPv6) or a dual-stack NAT instance. Alternatively, you can use an Interface Endpoint, but that incurs costs.
Yes. Use a bucket policy with the `aws:SourceVpce` condition key. Example: `"Condition": { "StringEquals": { "aws:SourceVpce": "vpce-12345678" } }`. This ensures that requests not coming through that endpoint are denied.
Enable VPC Flow Logs on the subnets or ENIs. You will see flow log entries for traffic to S3/DynamoDB. Additionally, you can use CloudWatch metrics for the endpoint (e.g., packets in/out). Note that Flow Logs do not capture traffic within the endpoint itself.
Yes, if the Lambda function is configured to run in a VPC with a route table that has the DynamoDB prefix list route pointing to the Gateway Endpoint. Ensure the Lambda function's security group allows outbound HTTPS (443) to DynamoDB IPs.
Gateway Endpoint is free, uses route table prefix lists, and preserves source IPs. Interface Endpoint (PrivateLink) uses an ENI with a private IP in your subnet, incurs hourly and per-GB charges, and supports on-premises access via Direct Connect. For most VPC-only workloads, Gateway Endpoint is preferred.
You've just covered VPC Gateway Endpoints for S3/DynamoDB (Free vs NAT) — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?