Skip to content

Latest commit

 

History

History

VPCEndPointsToSpecificAWSService

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
AWSPrivateLinkTechnology.md
AWSPrivateLinkTechnology.md
 
 
InterfaceVsGatewayEndPoints.md
InterfaceVsGatewayEndPoints.md
 
 
Readme.md
Readme.md
 
 

Readme.md

VPC Endpoints

  • A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
  • Endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components.
  • They allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.
  • VPC endpoints enable you to reduce data transfer charges resulting from network communication between private VPC resources (such as EC2—instances) and AWS Services.

img.png

Use Cases

Use Case Description
Microservice Architecture Interface Endpoints (Private links) are a great way to increase the isolation and security of microservices architecture
- A microservice, for example, could be deployed in a totally separate VPC, fronted by a load balancer, and exposed to other microservices through a Interface Endpoints endpoint.
- With this setup, using Interface Endpoints, the network traffic to and from the microservice never traverses the public internet.
Regulatory Compliance One use case for such isolation includes regulatory compliance for services handling sensitive data such as PCI, HIPPA and EU/US Privacy Shield.
Connect from Private Subnet to Dynamo DB or S3 Using the VPC gateway endpoint allows the EC2 instances to reach Amazon S3 without using the public internet.
- Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service.

EndPoint policy

  • An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies).
  • It is a separate policy for controlling access from the endpoint to the specified service.
  • For ease of management, it is a best practice to manage permissions using the endpoint policy and then set the S3 bucket to only accept connections from the appropriate access point.
  • In this case, AWS applies the more restrictive endpoint policy.
  • You must manage and maintain only the policies for the endpoint

VPC Endpoint, Shared Services

Read more

References