VPC Endpoints: Interface vs Gateway - Which Should You Use?
Gateway Endpoint is free for S3/DynamoDB, Interface Endpoint supports most AWS services but has costs. Learn the differences and selection criteria for SAA-C03 exam.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
Gateway Endpoint is free and exclusive to S3/DynamoDB, while Interface Endpoint supports most AWS services but has costs. Use Gateway Endpoint for S3/DynamoDB by default, and consider Interface Endpoint when on-premises connectivity or VPC peering is required.
Exam Tip
Exam Essential: Gateway = S3/DynamoDB only + Free + Routing table, Interface = Most services + Paid + ENI + Security Group
What is a VPC Endpoint?
VPC Endpoint enables private connectivity to AWS services from your VPC without using Internet Gateway or NAT. Traffic stays within the AWS network, enhancing security.
Using Internet Gateway (Traditional):
EC2 → Internet Gateway → Internet → AWS Service
Using VPC Endpoint (Recommended):
EC2 → VPC Endpoint → AWS Service
(No internet traversal, stays within AWS network)
Gateway vs Interface Endpoint: Core Differences
Comparison at a Glance
| Comparison | Gateway Endpoint | Interface Endpoint |
|---|---|---|
| Supported Services | S3, DynamoDB only | Most AWS services (200+) |
| Cost | Free | Paid (hourly + data) |
| Technology | Routing table | AWS PrivateLink (ENI) |
| High Availability | Built-in | Requires ENI per AZ |
| Security Group | Not supported | Supported |
| On-premises Access | Not possible | Possible |
| VPC Peering Access | Not possible | Possible |
| Private DNS | Not supported | Supported |
Cost Comparison (Seoul Region)
| Item | Gateway Endpoint | Interface Endpoint |
|---|---|---|
| Creation/Usage | $0 | ~$0.013/hour/AZ |
| Data Processing | $0 | ~$0.01/GB |
| Monthly Cost (2 AZs) | $0 | ~$19 + data costs |
Exam Tip
Cost Optimization: Use Gateway Endpoint (free) as default for S3/DynamoDB access. AWS recommends creating one in every VPC.
Gateway Endpoint: Exclusive to S3/DynamoDB
How It Works
Gateway Endpoint adds routes to the routing table to direct traffic to AWS services.
Routing Table (After Gateway Endpoint Creation):
Destination | Target
---------------------|----------------------
10.0.0.0/16 | local
pl-63a5400a (S3) | vpce-xxxxx (Gateway)
0.0.0.0/0 | igw-xxxxx
pl-xxxxx is a Prefix List ID representing the IP range of the AWS service.
Features
- Supported Services: Amazon S3, Amazon DynamoDB
- Cost: Completely free
- High Availability: Automatically available across all AZs in the region
- Routing: Automatically added, cannot be modified or deleted
- Security: Access control via VPC Endpoint policy
Changes When Creating Gateway Endpoint
1. Prefix List route automatically added to routing table
2. Traffic to S3/DynamoDB routes through VPC Endpoint
3. No Internet Gateway/NAT required
VPC Endpoint Policy Example
Allow access to specific S3 bucket only:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Interface Endpoint: AWS PrivateLink Based
How It Works
Interface Endpoint creates an ENI (Elastic Network Interface) in your subnet to access AWS services via private IP.
Interface Endpoint Structure:
VPC (10.0.0.0/16)
├── AZ-a (10.0.1.0/24)
│ └── ENI: 10.0.1.50 → CloudWatch
├── AZ-b (10.0.2.0/24)
│ └── ENI: 10.0.2.50 → CloudWatch
└── Private DNS: monitoring.us-east-1.amazonaws.com
→ 10.0.1.50 / 10.0.2.50
Features
- Supported Services: API Gateway, CloudWatch, SQS, SNS, Kinesis, EC2 API, and 200+ more
- Cost: Hourly charge + data processing charge
- High Availability: Manual configuration required (create ENI in each AZ)
- Security: Control traffic with Security Groups
- Private DNS: Resolves existing endpoint URLs to private IPs
Benefits of Private DNS
With Private DNS enabled, you can use private connectivity without modifying application code.
Private DNS Disabled:
- Use VPC Endpoint DNS name directly in application
- vpce-xxxxx.monitoring.us-east-2.vpce.amazonaws.com
Private DNS Enabled (Recommended):
- Use existing service DNS name as-is
- monitoring.us-east-2.amazonaws.com → Resolves to private IP
Interface Endpoint Security Group
Attach a Security Group to the Interface Endpoint's ENI to control traffic.
Inbound Rules:
Type | Protocol | Port | Source
------------|----------|------|----------------
HTTPS | TCP | 443 | 10.0.0.0/16 (VPC CIDR)
S3: Gateway vs Interface Selection Criteria
S3 supports both endpoint types. Choose based on your situation.
| Scenario | Recommended Endpoint | Reason |
|---|---|---|
| General S3 access | Gateway | Free, built-in HA |
| S3 access from on-premises | Interface | Gateway doesn't support VPC external access |
| S3 access via VPC peering | Interface | Gateway doesn't work across peered VPCs |
| S3 access via Transit Gateway | Interface | Gateway doesn't work through TGW |
| Cost optimization | Gateway | Free |
Exam Tip
Exam Pattern: "Access S3 privately from on-premises via Direct Connect?" → Interface Endpoint (Gateway cannot access from outside VPC)
Using VPC Endpoints from On-Premises
Interface Endpoint is accessible from on-premises via Direct Connect or VPN.
On-premises → Direct Connect → VPC → Interface Endpoint → AWS Service
Required Configuration:
1. Route 53 Resolver Inbound Endpoint
2. On-premises DNS forwards queries to VPC Resolver
3. Private DNS enabled
Gateway Endpoint is only usable within the VPC and is not suitable for on-premises access.
VPC Endpoint Usage Scenarios
Scenario 1: S3 Access from Private Subnet
Problem: EC2 in private subnet needs S3 access
NAT Gateway incurs data transfer costs
Solution: Create S3 Gateway Endpoint
- Cost: Free
- Security: Traffic stays within AWS network
- Performance: No NAT bottleneck
Scenario 2: Lambda Accessing DynamoDB
Problem: VPC Lambda needs DynamoDB access
Want to access without internet path
Solution: Create DynamoDB Gateway Endpoint
Associate with Lambda subnet's routing table
Scenario 3: CloudWatch Logs from Private Subnet
Problem: EC2 in private subnet sending logs to CloudWatch Logs
Want to send logs without internet
Solution: Create CloudWatch Logs Interface Endpoint
- com.amazonaws.{region}.logs
- Enable Private DNS for no code changes
Scenario 4: S3 Private Access from On-Premises
Problem: On-premises server accessing S3 via Direct Connect
Want to access without traversing internet
Solution: Create S3 Interface Endpoint
- Gateway Endpoint cannot be accessed from outside VPC
- Use Route 53 Resolver for DNS resolution
SAA-C03 Exam Focus Points
- ✅ Gateway vs Interface: Gateway = S3/DynamoDB + Free, Interface = PrivateLink + Paid
- ✅ Gateway Endpoint Limitation: Only usable within VPC (no peering/on-premises access)
- ✅ Cost Optimization: Use Gateway Endpoint for S3/DynamoDB to save NAT costs
- ✅ On-premises Access: Requires Interface Endpoint + Route 53 Resolver
- ✅ High Availability: Gateway = Built-in, Interface = ENI per AZ needed
Exam Tip
Sample Exam Question: "EC2 in a private subnet needs to access S3. How do you configure it cost-effectively without NAT Gateway?" → Answer: S3 Gateway Endpoint (Free, no NAT required)
Frequently Asked Questions
Q: Can I use both Gateway and Interface Endpoints simultaneously?
Yes. S3 and DynamoDB support both types. You can use Gateway Endpoint for VPC internal traffic and Interface Endpoint for on-premises traffic.
Q: Why doesn't Gateway Endpoint work with VPC peering?
Gateway Endpoint operates via routing table. Prefix List routes are only added to that VPC's routing table and don't propagate to peered VPCs. Use Interface Endpoint for peering access.
Q: How can I reduce Interface Endpoint costs?
- Create ENI only in required AZs: Don't need to create in all AZs
- Analyze usage: Create endpoints only for actually needed services
- Leverage Gateway Endpoints: Use free Gateway for S3/DynamoDB
Q: What's the benefit of enabling Private DNS?
You can use VPC Endpoint without modifying existing application code. Existing URLs like sqs.ap-northeast-2.amazonaws.com automatically resolve to private IPs.
Q: What's the relationship between VPC Endpoint policy and IAM policy?
Both must be satisfied for access to be allowed. Even if allowed by VPC Endpoint policy, access is denied if IAM policy denies it. Conversely, even if IAM allows it, access is blocked if Endpoint policy denies it.
Q: Which AWS services support Interface Endpoint?
200+ AWS services are supported. Major services include:
- API Gateway, CloudWatch, CloudWatch Logs
- EC2, ECS, EKS, Lambda
- SQS, SNS, Kinesis, EventBridge
- Secrets Manager, Systems Manager
- S3 (also supports Interface), DynamoDB (also supports Interface)