VPC Endpoints
VPC Endpoint allows the creation of a private link between VPC and supported AWS services and VPC-powered endpoint services powered with PrivateLink using its private IP.
VPC Endpoint does NOT require access over the Internet, access via NAT devices, or AWS Direct Connect.
Traffic between VPC service and AWS service doesn’t leave the Amazon network
Endpoints are virtual devices that are horizontally scaled and redundant and highly available VPC parts that allow communication between instances of the VPC or AWS services without imposing any availability risks on your network traffic.
Cross-region requests are not supported by endpoints at the moment. Make sure that the endpoint is created within the same region as S3 bucket.
AWS currently supports these types of EndpointsVPC Gateway Endpoints
VPC Interface EndpointsVPC Gateway Endpoints
A VPC Gateway Endpoint refers to a gateway that is a target of a route in the routetable. It is used for traffic destined for supported AWS services.
VPC Gateway Endpoint currently supports DynamoDB and S3 services
VPC Endpoint policy or Resource-based policies are both options for fine-grained access control.
Gateway Endpoint Configuration
Endpoint requires both the VPC as well as the service to access via the endpoint
To remove the route entry, the endpoint must be associated with the Route Table. It cannot be deleted by removing its Endpoint association with Route table
A route is automatically added into the Route table with a destination specifying the prefix list and the target with the Endpoint ID for e.g. A rule with destination pl-68a54001 (com.amazonaws.us-west-2.s3) and a target with this endpoints’ ID (e.g. Route tables will be updated with vpce-1234678
Endpoint policies can control access to resources in other services.
To allow outbound traffic from VPC to the service specified in the endpoint, security groups must be modified. For example, use the service prefix list ID. com.amazonaws.us-east-1.s3 as the destination in the outbound rule
Multiple endpoints can all be created in one VPC. This allows you to access multiple services.
Multiple endpoints can also be created for the same service, but in different route tables.
Multiple endpoints for the same service cannot be specified in one route table. Limitations on Gateway Endpoints
Endpoints can only be created within the same Region. An endpoint cannot be created between AWS services in the same region and a VPC.
Endpoints only support IPv4 traffic
Endpoint cannot transfer from one VPC or service to another.
A VPC cannot extend endpoint connections beyond it. Resources cannot be shared over the VPN connection, VPC peering connections, AWS Direct Connect connection.
VPC Endpoint policy refers to an IAM resource policy that is attached to an endpoint in order to control access from the endpoint to the service.
Endpoint policy allows for full access to all users and services within the VPC. Credentials can be used from any AWS account to any S3 Resource; even S3 resources from an AWS account not associated with the VPC.
Endpoint policies cannot override or replace IAM policies or service-specific policies (such S3 bucket policies).
Endpoint policy can be used for restricting the resources that can be accessed via the VPC Endpoint. “Sid”: “AccessToSpecificBucket”, “Effect”: “Allow”, “Principal”: “*”, “Action”: [ “s3:ListBucket”, “s3:GetObject”, ], “Resource”: [ “arn:aws:s3:::example-bucket”, “arn:aws:s3:::example-bucket/*” ]12345678910111213{ “Sid”: “AccessToSpecificBucket”, “Effect”: “Allow”, “Principal”: “*”, “Action”: [ “s3:L