Overview
- VPC Endpoint enables a private connection between VPC and AWS supported services (including S3, Athena, DynamoDB, ECS) and AWS Marketplace services (AWS PrivateLink-powered SaaS)
- Unlike VPC Endpoint – NAT Gateway uses the Internet Gateway and thus the public internet, impacting solution performance and cost
VPC Endpoint
- VPC Endpoint enables private connections between VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink
- A VPC endpoint doesn’t require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection
- VPC endpoints are virtual devices, horizontally scaled, redundant, and highly available VPC components
- Access to resources can be controlled with endpoint policies in addition to IAM user/ service policies
VPC Endpoint Types
- Interface Endpoints
- Elastic network interface (ENI) with a private IP address
- It is an entry point for traffic destined to a supported AWS service or a VPC endpoint service
- Gateway Endpoints
- A gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service
- Limited to S3 and DynamoDB services
- Gateway Load Balancer Endpoints
- Elastic network interface (ENI) with a private IP address
- Powered by AWS PrivateLink
- Serves as an entry point to intercept traffic and route it to a service
Network Address Translation (NAT)
- Used to interconnect private and public networks
- NAT translates between private and public IP addresses
- NAT is implemented on a private and public subnet
- EIP associated with NAT instance for the public-facing site
- Instances in the private subnet connect through the NAT instance to connect to the Internet
- NAT can be implemented using a dedicated NAT instance or AWS NAT Gateway
