Connecting Managed Services

Connecting to Managed AWS Services

Connectivity Challenge

When you successfully deploy a workload on an EC2 instance in a private subnet but need access to managed AWS services like Amazon S3, there’s no direct connectivity from the EC2 instance within your VPC to the Amazon S3 bucket since S3 operates outside your VPC.

Traditional Solution Issues

Amazon S3 buckets can be reached with a public Region access point from VPC resources, but this approach:

• Routes requests through the internet
• Incurs data transfer costs
• Reduces security by using public internet paths

VPC Endpoints Solution

A more direct and secure solution is to use VPC endpoints, which provide private connectivity between VPCs and managed AWS services.

Two Types of VPC Endpoints

1. Interface VPC Endpoints (powered by AWS PrivateLink)
2. Gateway VPC Endpoints (direct integration)

Interface VPC Endpoints

Interface VPC endpoints use AWS PrivateLink to privately connect your VPC to AWS managed services as if they were in your VPC.

Key Characteristics

• Private Connectivity: Services appear as if they’re within your VPC
• Elastic Network Interface: AWS creates ENI in every VPC subnet with private IP address
• AWS PrivateLink: Designed to solve connectivity between VPCs and managed AWS services
• IAM Integration: Use IAM resource policies to control access

Elastic Network Interface (ENI)

An elastic network interface is a logical networking component in a VPC representing a virtual network card. For interface VPC endpoints:

• Created in every specified VPC subnet
• Assigned private IP address from subnet address range
• Serves as entry point for traffic destined to the service

Pricing Structure

• Hourly endpoint usage: Charged per hour the endpoint exists
• Data processing: Charged for amount of data processed per month

Setting Up Interface VPC Endpoints

1. Specify Service: Choose the AWS service, endpoint service, or AWS Marketplace service to connect to

2. Choose VPC: Select VPC where you want to create the interface endpoint

   • Can specify multiple subnets in different AZs for resilience
   • ENI created in each specified subnet

3. Select Subnet: Choose subnet that will use the interface endpoint

   • Network interface created with private IP address
   • Serves as entry point for service traffic

4. Configure Security Groups: Specify security groups for the network interface

   • Control traffic to network interface from VPC resources
   • Default security group used if none specified

Note

Service Limitations Services cannot initiate requests to resources in your VPC through the endpoint. An endpoint only returns responses to traffic initiated from resources in your VPC.

Gateway VPC Endpoints

Gateway VPC endpoints connect directly to Amazon S3 and Amazon DynamoDB using route tables, not using AWS PrivateLink.

Supported Services

• Amazon S3
• Amazon DynamoDB

Route Table Integration

• Prefix Lists: Use prefix list IDs (groups of CIDR blocks) as destinations
• Direct Routing: Traffic routes directly through gateway endpoint specified as target
• No ENI Required: Unlike interface endpoints, no network interface created

Gateway Endpoint Benefits

• No Additional Charge: Free to use gateway endpoints
• No Throughput Limits: No packet or bandwidth restrictions
• Simplified Configuration: Direct route table integration

Amazon S3 Endpoint Comparison

Interface VPC Endpoints

Access Point: Private IP addresses from VPC subnet On-premises: Allows access Other AWS Region: Allows access
Cost: Billed Bandwidth: Up to 10 Gbps per AZ, scales to 100 Gbps Packet Size: Maximum 8500 bytes

Gateway VPC Endpoints

Access Point: Amazon S3 public IP addresses On-premises: Does not allow access Other AWS Region: Does not allow access Cost: Not billed Bandwidth: No limit Packet Size: No limit

Decision Factors

When choosing between interface and gateway VPC endpoints for S3:

• Security requirements (private IP vs public IP access)
• On-premises access needs
• Cross-region access requirements
• Budget considerations
• Bandwidth and packet size requirements

Gateway Load Balancer Endpoints

Gateway Load Balancer endpoints provide private connectivity between security appliances and application instances across different VPCs.

Traffic Flow Process

1. Incoming Traffic: All traffic entering VPC through internet gateway routes first to Gateway Load Balancer endpoint
2. Security Inspection: Traffic routes to Gateway Load Balancer which distributes to security appliance instances for inspection
3. Return Path: Inspected traffic returns through Gateway Load Balancer to Gateway Load Balancer endpoint
4. Final Delivery: Gateway Load Balancer endpoint sends traffic to application instance

Use Case

Ideal for scenarios requiring traffic inspection with security appliances while maintaining separation between application and security infrastructure.

VPC Endpoint Selection Guide

Interface Endpoints

Best for:

• Most AWS services beyond S3/DynamoDB
• On-premises access requirements
• Cross-region connectivity needs
• Private IP address requirements

Consider:

• Hourly costs and data processing charges
• Bandwidth limitations (up to 100 Gbps)
• Packet size restrictions (8500 bytes max)

Gateway Endpoints

Best for:

• Amazon S3 and DynamoDB only
• Cost-sensitive environments
• High bandwidth requirements
• Large packet sizes

Limitations:

• No on-premises access
• Same region only
• Limited to S3 and DynamoDB

VPC endpoints provide secure, private connectivity to managed AWS services without internet routing, with interface endpoints offering broad service support and gateway endpoints providing cost-effective access to S3 and DynamoDB.