AWS Gateway Endpoints are a feature of Amazon Web Services (AWS) that allows you to create a secure and private connection between your Amazon Virtual Private Cloud (VPC) and AWS services, without requiring the traffic to traverse the public internet.
We’re going to go over everything you need to know about AWS Gateway Endpoint in this blog.
- Overview
- Types of AWS VPC Endpoints
- How do Gateway Endpoints contribute?
- Benefits
- Limitations
- Routing in Gateway Endpoint
- Gateway Endpoint vs Interface Endpoint
- FAQs
AWS Gateway Endpoints Overview:
You can access AWS services such as Amazon S3 and Amazon DynamoDB, from within your VPC, without exposing your data to the internet. This provides a more secure and efficient way to access AWS services, as well as reduces data transfer costs. AWS Gateway Endpoints are available in two types, Interface Endpoints and Gateway Endpoints, which provide different features and benefits depending on your use case. Overall, AWS Gateway Endpoints provide an important tool for securing your network traffic and simplifying your infrastructure.
Gateway endpoints offer a dependable means of connecting to Amazon S3 and DynamoDB, without the need for an internet gateway or NAT device in your VPC. However, it’s worth noting that Gateway endpoints do not facilitate AWS PrivateLink.
There are three types of AWS VPC Endpoints:
- Gateway Load Balancer endpoint: This intercepts traffic and redirects it to a network or security service that has been configured with a Gateway Load Balancer. This allows for the deployment, scaling, and management of virtual appliances, including firewalls, intrusion detection and prevention systems, and deep packet inspection systems.
- Interface Endpoints: This type of endpoint is used to connect to AWS services that are accessed through an API or over the internet. Interface Endpoints are powered by AWS PrivateLink, which creates a secure and private network connection between your VPC and the AWS service, without requiring internet access. This type of endpoint is often used for services such as AWS Elastic Compute Cloud (EC2) API, AWS Systems Manager, and Amazon CloudWatch.
- Gateway Endpoints: Gateway Endpoints are used to provide access to AWS services that have an endpoint on the internet, such as Amazon S3 and DynamoDB. This type of endpoint provides a more secure and efficient way to access these services, as traffic doesn’t need to traverse the public internet. Gateway Endpoints are associated with a specific route table in your VPC, and you can use them to access a service across multiple subnets in your VPC.
How do Gateway Endpoints contribute?
1. Without Gateway endpoint (using Internet Gateway)
This diagram shows how instances access Amazon S3 and DynamoDB through their public service endpoints. Instances in a public subnet can easily send traffic to Amazon S3 or DynamoDB, as it is routed to the internet gateway for the VPC and then to the service. However, instances in a private subnet cannot send traffic to Amazon S3 or DynamoDB as private subnets do not have routes to an internet gateway. To enable traffic from private subnets to reach Amazon S3 or DynamoDB, a NAT device must be added to the public subnet, and traffic in the private subnet should be routed to the NAT device. It is important to note that while traffic to Amazon S3 or DynamoDB still passes through the internet gateway, it does not exit the AWS network.
2. With Gateway endpoint
This diagram illustrates how instances access Amazon S3 and DynamoDB by using a gateway endpoint. Traffic from your VPC to these services is directed toward the gateway endpoint. To ensure successful routing, each subnet route table must have a route that sends traffic targeted for the service to the gateway endpoint by using the service’s prefix list.
Benefits:
- Enhanced security: Gateway Endpoints enable secure access to AWS services like Amazon S3 and DynamoDB without the need to traverse the public internet, resulting in improved security.
- Reduced data transfer costs: Gateway Endpoints keep traffic between your VPC and AWS service within the AWS network, reducing data transfer costs.
- Simplifying network architecture: Gateway Endpoints eliminate the need for NAT devices or internet gateways, simplifying your VPC network architecture and reducing the complexity.
- Improved reliability: Gateway Endpoints offer reliable connectivity to AWS services, ensuring high throughput and low latency for smooth and consistent service access.
- Easy setup process: Gateway Endpoints can be easily set up with just a few clicks in the AWS Management Console or through the AWS Command Line Interface (CLI), saving time and effort.
Limitations:
- Limited service support: Currently, Gateway Endpoints are only available for Amazon S3 and DynamoDB. Thus, other AWS services are not supported by Gateway Endpoints.
- Non-IP traffic not supported: Gateway Endpoints support only IP traffic, and therefore cannot be used to access services that rely on non-IP protocols such as Amazon Simple Notification Service (SNS) or Amazon Simple Queue Service (SQS).
- Additional configuration required for cross-region traffic: To access a service in another region, VPC peering or a VPN connection to that region must be configured.
- Higher data transfer costs for cross-region traffic: If you use a Gateway Endpoint to access a service in another region, data transfer costs may be higher than using an internet gateway.
- Limits on endpoint creation: The number of Gateway Endpoints that can be created per VPC, region, and account are limited, and one should consult the AWS documentation for the most up-to-date information on these limits.
Routing in Gateway Endpoint:
You choose the VPC route tables for the subnets that you enable while creating a gateway endpoint. Each route table you choose immediately includes the next route. The gateway endpoint is the target, and the destination is a prefix list for the service that belongs to Amazon.
You can establish a secure connection between your VPC and another AWS service using a gateway VPC endpoint. You designate the subnet route tables in your VPC that the gateway endpoint will utilize. Each of the route tables will automatically add a route with a target that contains the endpoint ID (vpce-xxxxxxxxxxxxxxxxx) and a destination that contains the service’s prefix list ID (pl-xxxxxxxx). The endpoint route cannot be directly deleted or changed, however, the route tables that the endpoint uses can be modified.
Gateway Endpoint vs Interface Endpoint
Parameter | Gateway Endpoint | Interface Endpoint |
Function | Gateway endpoints are route table entries that route your traffic directly from the subnet where traffic is originating to the service. | Interface Endpoints are powered by AWS PrivateLink, which creates a secure and private network connection between your VPC and the AWS service. |
Supported Service | If the AWS service is either DynamoDB or S3, use the Gateway Endpoint. | For all other purposes use Interface Endpoint. |
Cost | Gateway endpoints for S3 are offered at no cost and route tables are used to manage the routes. | Interface endpoints are priced at $0.01/per AZ/per hour. |
Access pattern | Access through gateway endpoints is supported only for resources in a specific VPC with which the endpoint is associated. | In all those scenarios, where access is from resources external to VPC, interface endpoints access service in a secure way. |
Bandwidth | Traffic does not flow through an intermediate device or instance. Hence, there is no throughput limit for the gateway endpoint itself. | Interface endpoints offer a throughput of 10 Gbps per ENI with a burst capability of 40 Gbps. |
Example | If you chose a gateway endpoint, install a fleet of proxies in the VPC to address transitive routing. | In scenarios where you must access S3 buckets securely from on-premises or from across Regions, we can use an interface endpoint. |
Frequently Asked Qusetions:
Q1. How does an AWS Gateway Endpoint differ from a VPC Endpoint?
Ans: Without a NAT or Internet gateway, a VPC endpoint links AWS services confidentially. Both the Interface Endpoint and Gateway Endpoint are forms of VPC Endpoint. The earlier is located inside a subnet and connected to a security group; the subsequent is located inside a VPC and connected to a routing table.
Q2. Can I use a Gateway Endpoint to access AWS services from outside of my VPC?
Ans: Gateway endpoints by default, cannot be used to access the AWS services other than the VPC in which it is launched. However, by adding proxies it is achievable.
Q3. How does AWS ensure security when using Gateway Endpoints?
Ans: You can configure resource policies (using AWS IAM) both on the gateway endpoint and on the AWS resources to which the endpoint provides access. A VPC endpoint policy is a separate policy for controlling endpoint access to a given service. It allows granular access control and private network access in a VPC.
Q4. What best practices should I follow when using AWS Gateway Endpoints?
Ans: Depending on the account structure and VPC setup, select the right VPC endpoint and practices using criteria like VPC architecture, access pattern, and cost.
Related Links/References:
- AWS Free Tier Account Details
- Top 10 Must-Have AWS Cloud Migration Tools in 2023
- AWS Cloud Migration: Step-by-Step Activity Guide
- AWS Database Migration Service: Everything You Need To Know
- AWS Certified Solutions Architect Associate SAA-C03 Exam details
- AWS Virtual Private Network (AWS VPN): Everything You need to Know
Next Task For You
Begin your journey towards an AWS Cloud by joining our FREE Informative Class on Amazon Cloud Free Class by clicking on the below image.
Leave a Reply