This chapter provides a comprehensive deep dive into AWS VPC Endpoints, covering the three types: Gateway Endpoints, Interface Endpoints, and Gateway Load Balancer Endpoints. For the SAA-C03 exam, understanding the differences, use cases, and limitations of each endpoint type is critical, as questions on this topic appear in roughly 5-10% of exams, often in the context of designing secure and cost-effective network architectures. You will learn the internal mechanics, configuration steps, and exam traps associated with each endpoint type, enabling you to choose the right solution for any scenario.
Jump to a section
Imagine you work in a large office building (your VPC) that needs to send and receive packages from a central warehouse (an AWS service like S3 or DynamoDB). Normally, to send a package, you have to walk outside the building, cross the public street (the internet), and enter the warehouse through its public entrance. This exposes your package to potential theft or inspection. VPC endpoints are like installing a private, secure door directly from your building's internal hallway to the warehouse's loading dock. For Gateway endpoints, this door is a simple, direct chute that only accepts packages of specific shapes (S3, DynamoDB) and is added to your building's internal routing table so all packages for the warehouse automatically go through the chute. For Interface endpoints, it's like having a dedicated, secure room with a receptionist (an Elastic Network Interface) that can handle packages for many different warehouses (multiple AWS services). The receptionist has a private phone number (private IP) and can forward packages to the correct warehouse without ever leaving the building. For Gateway Load Balancer endpoints, it's like having a security checkpoint room where packages must pass through an inspection service (a third-party appliance) before reaching the warehouse, allowing you to filter or examine traffic without routing it outside. All of this keeps your packages (data) entirely within the AWS network, never traversing the public internet.
What Are VPC Endpoints and Why Do They Exist?
VPC endpoints enable private connectivity between your VPC and supported AWS services without requiring internet gateways, NAT devices, VPN connections, or AWS Direct Connect. Traffic stays within the AWS network, never traversing the public internet. This improves security and reduces latency. The SAA-C03 exam expects you to know three types: Gateway Endpoints, Interface Endpoints (powered by AWS PrivateLink), and Gateway Load Balancer Endpoints.
Gateway Endpoints
Gateway endpoints are a logical gateway object that you attach to a route table. They support only two services: Amazon S3 and DynamoDB. When you create a Gateway endpoint, you specify the service (e.g., com.amazonaws.us-east-1.s3) and the VPC route tables that should use it. A prefix list is automatically added to the route table with a target of the gateway endpoint ID (e.g., vpce-xxxx). Traffic destined for the service's prefix list (a set of IP address ranges) is routed through the endpoint.
How it works internally: When an instance in a private subnet sends a packet to an S3 bucket, the packet's destination IP falls within the S3 prefix list. The route table entry directs the packet to the Gateway endpoint. The Gateway endpoint performs a Network Address Translation (NAT) function: it replaces the source IP with its own IP from the service's side, and on return, it translates back. Importantly, the Gateway endpoint does not use ENIs; it is a horizontally scaled, redundant service within the AWS network.
Key characteristics: - No additional cost per hour, only per GB of data processed. - Highly available by default (regionally redundant). - Cannot be accessed from on-premises via VPN or Direct Connect unless you enable route propagation and the on-premises routes point to the VPC. - Supports policies (bucket policies and endpoint policies) to restrict access. - Does not support IPv6 traffic.
Interface Endpoints (AWS PrivateLink)
Interface endpoints are Elastic Network Interfaces (ENIs) with private IP addresses from your VPC subnet. They are powered by AWS PrivateLink and support over 100 AWS services and Marketplace partner services. Each Interface endpoint is created in a specific subnet and Availability Zone. You can attach a security group to control inbound and outbound traffic.
How it works internally: When you create an Interface endpoint for a service (e.g., Amazon SNS), AWS creates an ENI in your subnet with a private IP. DNS entries for the service are updated so that queries from within the VPC resolve to the private IP of the ENI. Traffic flows from your instance to the ENI, then through AWS PrivateLink to the service. For services that support PrivateLink, the service provider (AWS or a third party) creates a Network Load Balancer (NLB) in their account and associates it with a VPC endpoint service. Your Interface endpoint connects to that NLB.
Key characteristics: - Charged per hour per endpoint plus per GB of data processed. - Supports IPv4 and IPv6 traffic. - Can be accessed from on-premises via VPN or Direct Connect if the DNS resolution is configured appropriately. - Supports security groups and endpoint policies. - Requires a Network Load Balancer on the service provider side (for endpoint services). - Supports TCP traffic only; for services that require UDP, you may need to use Gateway Load Balancer endpoints or other mechanisms.
Gateway Load Balancer Endpoints
Gateway Load Balancer (GWLB) endpoints are ENIs that serve as entry points for traffic that needs to be inspected by third-party appliances (firewalls, intrusion detection systems, etc.). They work with Gateway Load Balancers, which are managed by AWS and can distribute traffic to a fleet of appliance instances.
How it works internally: You create a GWLB endpoint in a subnet. The endpoint is an ENI that receives traffic from your VPC. You then create a Gateway Load Balancer that listens on a specific port (usually 6081 for GENEVE encapsulation). The GWLB endpoint forwards traffic to the GWLB, which distributes it to target groups of appliance instances. The appliances process the traffic and return it to the GWLB, which sends it back to the GWLB endpoint, which then forwards it to its original destination. The entire path uses GENEVE encapsulation to preserve the original packet headers.
Key characteristics: - Designed for transparent inspection of all traffic (e.g., east-west, north-south). - Supports TCP, UDP, and ICMP traffic. - Uses GENEVE encapsulation (UDP port 6081). - The endpoint is an ENI with a private IP. - You must configure route tables to direct traffic to the GWLB endpoint (e.g., for inspection of traffic between subnets). - The GWLB itself is a managed service that scales horizontally.
Configuration and Verification
Creating a Gateway Endpoint (AWS CLI):
aws ec2 create-vpc-endpoint --vpc-id vpc-xxxx --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-xxxxTo verify:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-xxxxCheck that the route table has an entry for the prefix list:
aws ec2 describe-route-tables --route-table-ids rtb-xxxxCreating an Interface Endpoint (AWS CLI):
aws ec2 create-vpc-endpoint --vpc-id vpc-xxxx --service-name com.amazonaws.us-east-1.sns --subnet-ids subnet-xxxx --security-group-ids sg-xxxxTo verify:
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-xxxxCheck the ENI:
aws ec2 describe-network-interfaces --filters Name=description,Values="VPC Endpoint vpce-xxxx"Creating a Gateway Load Balancer Endpoint (AWS CLI):
aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --vpc-id vpc-xxxx --service-name com.amazonaws.vpce.us-east-1.vpce-svc-xxxx --subnet-ids subnet-xxxxInteraction with Related Technologies
NAT Gateway / Internet Gateway: Gateway endpoints are often used together with NAT gateways to allow instances in private subnets to access S3 without an IGW. The route table for the private subnet has a default route to the NAT gateway, but a specific route for the S3 prefix list points to the Gateway endpoint. This ensures S3 traffic stays within AWS.
Security Groups: Interface endpoints and GWLB endpoints can have security groups attached. For Gateway endpoints, security groups are not applicable; instead, you use bucket policies and endpoint policies.
AWS PrivateLink: Interface endpoints are the consumer side of PrivateLink. The service provider creates an NLB and a VPC endpoint service. The consumer creates an Interface endpoint to connect.
Transit Gateway: You can attach a Transit Gateway to your VPC and still use VPC endpoints. However, if you want to use Gateway endpoints across multiple VPCs, you need to create endpoints in each VPC (they are not transitive).
AWS Direct Connect / VPN: Interface endpoints can be accessed from on-premises if you configure DNS resolution to use the endpoint's private IP. Gateway endpoints cannot be accessed from on-premises directly; traffic must originate from within the VPC.
Exam-Relevant Details
Default Limits: By default, you can create up to 255 VPC endpoints per VPC (can be increased).
DNS Resolution: For Interface endpoints, you must enable DNS resolution in the VPC (the enableDnsHostnames and enableDnsSupport attributes) to use the private DNS names.
Endpoint Policies: JSON policies that control what actions are allowed on the service via the endpoint. They work in conjunction with service-specific policies (e.g., S3 bucket policies).
Gateway Endpoint Limitation: Only supports S3 and DynamoDB. Many candidates mistakenly think it supports more services.
Interface Endpoint Cost: The per-hour cost can add up if you create many endpoints. For high-volume data transfer, Gateway endpoints are cheaper.
GWLB Endpoint Use Case: Specifically for traffic inspection; not for direct access to AWS services.
IPv6: Gateway endpoints do not support IPv6. Interface endpoints do. GWLB endpoints support IPv6.
Step-by-Step: How a Gateway Endpoint Processes an S3 Request
Instance sends packet: An EC2 instance in a private subnet sends a packet to an S3 bucket (e.g., PUT object). The destination IP is within the S3 prefix list (e.g., 52.216.0.0/15).
Route table lookup: The subnet's route table has a route for the prefix list with target vpce-xxxx. The packet is forwarded to the Gateway endpoint.
Gateway endpoint processing: The Gateway endpoint receives the packet. It performs NAT: it replaces the source IP (the instance's private IP) with its own IP from the S3 service side. It also records the mapping for the return traffic.
Forwarding to S3: The packet is sent over the AWS backbone to the S3 service.
S3 response: S3 sends the response back to the Gateway endpoint's IP.
Return NAT: The Gateway endpoint translates the destination IP back to the instance's private IP and sends the packet into the VPC.
Instance receives response: The packet arrives at the instance's ENI.
Step-by-Step: How an Interface Endpoint Processes an SNS Publish
Instance initiates connection: An EC2 instance resolves the SNS endpoint DNS name (e.g., sns.us-east-1.amazonaws.com). Because the VPC has DNS resolution enabled and the Interface endpoint's private DNS name is enabled, the DNS query returns the private IP of the endpoint ENI (e.g., 10.0.1.100).
Packet sent to ENI: The instance sends a TCP SYN packet to 10.0.1.100:443.
Security group check: The ENI's security group must allow inbound HTTPS from the instance's security group.
Endpoint processing: The Interface endpoint receives the packet and forwards it through AWS PrivateLink to the SNS service. The service sees the connection coming from the endpoint's private IP.
Response: SNS responds to the endpoint's IP, which forwards the response back to the instance.
Step-by-Step: How a GWLB Endpoint Inspects Traffic
Traffic origination: An instance in subnet A sends a packet to an instance in subnet B. The route table for subnet A has a route for subnet B's CIDR pointing to the GWLB endpoint ENI.
Encapsulation: The GWLB endpoint receives the packet. It encapsulates the original packet in a GENEVE header (UDP port 6081) and sends it to the Gateway Load Balancer.
Load balancing: The GWLB distributes the encapsulated packet to one of the appliance instances in its target group.
Inspection: The appliance decapsulates the packet, inspects it (e.g., firewall rules), and then re-encapsulates it and sends it back to the GWLB.
Return path: The GWLB sends the encapsulated packet back to the GWLB endpoint, which decapsulates it and forwards the original packet to subnet B's instance.
Step-by-Step: Choosing the Right Endpoint Type
Identify the service: If the service is S3 or DynamoDB, consider Gateway endpoint. For other AWS services or third-party services, use Interface endpoint. For traffic inspection, use GWLB endpoint.
Check cost sensitivity: Gateway endpoints are free per hour (only data charges). Interface endpoints have hourly charges. For high-volume S3 access, Gateway endpoint is cheaper.
Check IPv6 requirements: If you need IPv6, you cannot use Gateway endpoint.
Check on-premises access: If you need to access the service from on-premises via Direct Connect or VPN, use Interface endpoint (with proper DNS configuration).
Check security group requirements: If you need to control access with security groups, use Interface or GWLB endpoint.
Step-by-Step: Troubleshooting Connectivity Issues
Verify route tables: Ensure the subnet route table has a route for the service prefix list (Gateway) or that the DNS resolves to the endpoint's private IP (Interface).
Check security groups: For Interface endpoints, ensure the security group allows inbound/outbound traffic. For Gateway endpoints, security groups are irrelevant.
Check endpoint policies: Ensure the endpoint policy allows the desired actions. For S3, also check bucket policies.
Check DNS resolution: For Interface endpoints, verify that enableDnsHostnames and enableDnsSupport are true in the VPC.
Check VPC flow logs: Use flow logs to see if traffic is reaching the endpoint ENI.
Identify Service and Endpoint Type
First, determine which AWS service you need to access privately. For Amazon S3 and DynamoDB, Gateway endpoints are the most cost-effective and simple choice. For all other AWS services (e.g., SNS, SQS, Kinesis, CloudWatch) and third-party SaaS offerings, Interface endpoints (PrivateLink) are required. If your goal is to route traffic through security appliances for inspection, choose Gateway Load Balancer endpoints. This decision is the most critical step and is heavily tested on the SAA-C03 exam. Many candidates incorrectly assume Gateway endpoints work for all services; they do not.
Create the VPC Endpoint
Using the AWS Management Console, CLI, or CloudFormation, create the endpoint. For Gateway endpoints, specify the VPC, the service name (e.g., `com.amazonaws.region.s3`), and the route table(s) to associate. For Interface endpoints, specify the VPC, the service name, the subnet(s) where the ENI will be created, and optionally a security group. For GWLB endpoints, specify the VPC, the service name (the VPC endpoint service for the GWLB), and the subnet(s). The service name for a GWLB endpoint is the one associated with the Gateway Load Balancer, not a standard AWS service.
Configure Route Tables (Gateway Endpoint Only)
For a Gateway endpoint, you must update the route tables of the subnets that will use the endpoint. AWS automatically adds a route for the service's prefix list (e.g., `pl-xxxx`) with the endpoint ID as the target. This route directs traffic destined for the service's IP ranges to the Gateway endpoint. For Interface and GWLB endpoints, route tables are not automatically modified; instead, you rely on DNS resolution to direct traffic to the endpoint's private IP. However, for GWLB endpoints, you may need to add routes to redirect traffic to the endpoint for inspection.
Update DNS Resolution (Interface Endpoint Only)
For Interface endpoints, you must ensure that the VPC has DNS resolution enabled (`enableDnsHostnames` and `enableDnsSupport` set to true). Then, when you create the endpoint, you can enable private DNS names. This causes the standard DNS name for the service (e.g., `sns.us-east-1.amazonaws.com`) to resolve to the private IP of the endpoint ENI within the VPC. Without this, instances would need to use the endpoint-specific DNS name (e.g., `vpce-xxxx.sns.us-east-1.vpce.amazonaws.com`).
Apply Endpoint Policies and Security Groups
All endpoint types support endpoint policies (JSON documents) that control which actions are allowed via the endpoint. For Interface and GWLB endpoints, you can also attach security groups to the endpoint ENI to filter traffic at the network level. For Gateway endpoints, security groups are not supported; access control is done via endpoint policies and bucket policies. Always ensure that the endpoint policy does not inadvertently block required actions. For example, a common mistake is to have an endpoint policy that denies all actions except a specific one, but the condition keys are misconfigured.
Test and Verify Connectivity
After configuration, test connectivity from an instance in the VPC. For Gateway endpoints, use the AWS CLI to perform an S3 operation (e.g., `aws s3 ls`). For Interface endpoints, try to publish to an SNS topic. For GWLB endpoints, verify that traffic is being inspected by checking logs on the appliance. Use VPC flow logs to confirm that traffic is flowing through the endpoint ENI. Common issues include incorrect route tables (for Gateway), security group rules blocking traffic (for Interface), and DNS resolution not using the private IP (for Interface).
Scenario 1: Secure S3 Access for a Data Analytics Platform
A financial services company runs a data analytics platform on AWS. Their EC2 instances in private subnets need to read and write petabytes of data to S3 daily. Initially, they used a NAT gateway to route traffic to S3 over the internet. This incurred high NAT data processing costs and exposed the traffic to potential threats. They switched to a Gateway endpoint for S3. They created a Gateway endpoint in each VPC and updated the private subnet route tables to route S3 traffic through the endpoint. This eliminated NAT charges and kept traffic within AWS. They also attached an endpoint policy that restricted access to only the specific S3 buckets used by the analytics platform. The result was a 40% reduction in data transfer costs and improved security. One issue they encountered was that the Gateway endpoint does not support IPv6; they had to ensure all instances used IPv4 for S3 access.
Scenario 2: Private Access to SaaS Monitoring Tool
A large e-commerce company uses a third-party monitoring SaaS that is integrated via AWS PrivateLink. The monitoring agents on EC2 instances need to send metrics to the SaaS endpoint. They created an Interface endpoint for the SaaS service in each Availability Zone. They attached a security group that allows inbound traffic from the monitoring agents' security group on TCP 443. They enabled private DNS names so that the agents could use the standard SaaS URL. This allowed the agents to connect without traversing the internet. The company also set up an endpoint policy that only allows the PutMetricData action. During a regional outage, they learned that Interface endpoints are regional and must be created in each region where the service is used. They also discovered that the hourly cost of multiple endpoints can be significant, so they consolidated where possible.
Scenario 3: Traffic Inspection for Compliance
A healthcare organization needs to inspect all traffic between VPCs and to the internet for compliance with HIPAA. They deployed a fleet of firewall appliances behind a Gateway Load Balancer. They created a GWLB endpoint in each subnet that required inspection. They updated the route tables so that all inter-subnet traffic was directed to the GWLB endpoint. The GWLB then distributed traffic to the firewalls. The firewalls inspected packets and forwarded allowed traffic. The organization faced a challenge with GENEVE encapsulation: their firewall appliances had to support GENEVE, which not all vendors do. They also had to carefully manage the MTU to account for the GENEVE header overhead. Misconfiguration of the route tables caused asymmetric routing, which they resolved by ensuring that both the forward and return paths went through the same GWLB endpoint.
SAA-C03 Exam Focus: VPC Endpoints
The SAA-C03 exam tests your ability to select the correct endpoint type for a given scenario. The relevant objective is Domain 1: Secure Architectures, Objective 1.1: Design secure access to AWS resources. Expect 2-3 questions on this topic.
Common Wrong Answers and Traps
Choosing Gateway Endpoint for non-S3/DynamoDB services: Many candidates think Gateway endpoints work for any service because they are simpler. The exam will present a scenario requiring private access to SQS or Kinesis, and the wrong answer will propose a Gateway endpoint. The correct answer is an Interface endpoint.
Using Interface Endpoint for S3: Some candidates choose Interface endpoint for S3 because they think it's more secure or supports IPv6. However, Gateway endpoint is cheaper and simpler. The exam tests cost optimization and simplicity. Unless the scenario specifically requires IPv6 or on-premises access, Gateway endpoint is the right choice for S3 and DynamoDB.
Assuming Gateway Endpoint is accessible from on-premises: The exam may ask about accessing S3 from on-premises via Direct Connect. A common wrong answer is to use a Gateway endpoint. Gateway endpoints cannot be accessed from on-premises; you need to use an Interface endpoint or a VPC with a VPN/Direct Connect and a Gateway endpoint only if traffic originates from within the VPC.
Ignoring endpoint policies: The exam often includes questions where an endpoint policy is the key to restricting access. Candidates may overlook the policy and choose a security group approach, but for Gateway endpoints, security groups are not applicable.
Specific Numbers and Terms
Services supported by Gateway endpoints: S3 and DynamoDB only.
Prefix list: Used by Gateway endpoints; the route table entry points to the prefix list ID.
PrivateLink: The underlying technology for Interface endpoints.
GENEVE: The encapsulation protocol for Gateway Load Balancer endpoints (UDP port 6081).
Endpoint policies: JSON documents that control access; they are evaluated in addition to service-specific policies.
Edge Cases
IPv6: If the scenario requires IPv6, Gateway endpoint is not an option. Use Interface endpoint for services that support IPv6.
Cross-account access: Interface endpoints can be shared across accounts via AWS PrivateLink. Gateway endpoints are specific to a VPC and cannot be shared.
VPC peering: Gateway endpoints are not transitive across VPC peering connections. Each VPC must have its own Gateway endpoint. Interface endpoints can be accessed from peered VPCs if the DNS resolution is configured appropriately.
How to Eliminate Wrong Answers
If the question mentions cost savings for S3 access, eliminate Interface endpoint (hourly cost) and choose Gateway endpoint.
If the question mentions on-premises access to an AWS service, eliminate Gateway endpoint.
If the question mentions traffic inspection with third-party appliances, eliminate Interface and Gateway endpoints; choose GWLB endpoint.
If the question mentions security groups, eliminate Gateway endpoint.
If the question mentions IPv6, eliminate Gateway endpoint.
Gateway endpoints are only for S3 and DynamoDB; they are free per hour and do not support IPv6 or on-premises access.
Interface endpoints (PrivateLink) are for all other AWS services and third-party services; they have hourly costs and support IPv6 and on-premises access.
Gateway Load Balancer endpoints are for traffic inspection using third-party appliances; they use GENEVE encapsulation (UDP 6081).
All endpoint types support endpoint policies (JSON) to control access; Interface and GWLB endpoints also support security groups.
For Gateway endpoints, you must update route tables with a route to the prefix list; for Interface endpoints, DNS resolution is key.
VPC endpoints keep traffic within the AWS network, improving security and reducing latency compared to internet-based access.
The default limit is 255 endpoints per VPC, but this can be increased.
These come up on the exam all the time. Here's how to tell them apart.
Gateway Endpoint
Supports only S3 and DynamoDB
No hourly cost; only data processing charges
Cannot be accessed from on-premises
Does not support IPv6
No security groups; uses endpoint policies
Interface Endpoint
Supports over 100 AWS services and third-party SaaS
Hourly cost per endpoint plus data processing
Can be accessed from on-premises via Direct Connect/VPN with proper DNS
Supports IPv4 and IPv6
Supports security groups and endpoint policies
Mistake
Gateway endpoints can be used for any AWS service.
Correct
Gateway endpoints only support Amazon S3 and DynamoDB. For all other services, you must use Interface endpoints (PrivateLink).
Mistake
Interface endpoints are free.
Correct
Interface endpoints incur hourly charges per endpoint plus data processing costs. Gateway endpoints have no hourly charges, only data processing costs.
Mistake
Gateway endpoints can be accessed from on-premises via Direct Connect.
Correct
Gateway endpoints are only accessible from within the VPC where they are created. To access S3 from on-premises, use an Interface endpoint or a VPC with a Gateway endpoint and a VPN/Direct Connect (but traffic must originate from the VPC).
Mistake
All VPC endpoints support IPv6.
Correct
Gateway endpoints do not support IPv6. Interface endpoints and GWLB endpoints support IPv6.
Mistake
Security groups can be attached to Gateway endpoints.
Correct
Security groups are not supported for Gateway endpoints. Access control is achieved via endpoint policies and bucket policies. Security groups are supported for Interface and GWLB endpoints.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A Gateway endpoint is a logical gateway object that supports only S3 and DynamoDB, has no hourly cost, and requires route table entries. An Interface endpoint is an ENI with a private IP, supports many services, incurs hourly charges, and uses DNS to direct traffic. Gateway endpoints cannot be accessed from on-premises, while Interface endpoints can.
No, a Gateway endpoint cannot be accessed directly from on-premises. You can use an Interface endpoint for S3 (available since 2020) to access S3 from on-premises via Direct Connect or VPN, or you can set up a VPN/Direct Connect to a VPC and then use a Gateway endpoint from within the VPC.
Gateway endpoints have no hourly charge; you pay only for data processed. Interface endpoints have an hourly charge per endpoint (varies by region, typically ~$0.01-$0.02 per hour) plus data processing charges. Gateway Load Balancer endpoints have similar pricing to Interface endpoints.
Gateway endpoints do not support IPv6. Interface endpoints and Gateway Load Balancer endpoints support IPv6 traffic.
A prefix list is a set of IP address ranges that AWS services use. For S3, the prefix list includes all S3 IP addresses. When you create a Gateway endpoint, AWS automatically adds a route to your route table with the prefix list as the destination and the endpoint ID as the target.
Yes, for Interface endpoints and Gateway Load Balancer endpoints. Gateway endpoints do not support security groups; you use endpoint policies instead.
GENEVE (Generic Network Virtualization Encapsulation) is used by Gateway Load Balancer endpoints to encapsulate traffic between the endpoint and the Gateway Load Balancer. It uses UDP port 6081.
You've just covered VPC Endpoints: Gateway vs Interface vs GWLB — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?