Skip to content

VPC Endpoints

VPC Endpoints are private links to supported AWS services from a VPC, instead of reaching the service's public endpoints through the internet. Two types of VPC endpoints exist, Gateway endpoints and Interface endpoints.

Gateway endpoints support only S3 and DynamoDB, and reach these services through a gateway from the VPC.

Interface endpoints create a network interface in the VPC's subnets, and all traffic to the service flows through this interface to the service.

Please see What are VPC endpoints? in the Securely Access Services Over AWS PrivateLink whitepaper if you would like to learn more on the differences.

VPC Networking

Create an Interface Endpoint for KMS

  1. Navigate to Endpoints with the VPC console and click on Create Endpoint to start creating a VPC Endpoint

    Create Endpoint

  2. In the Endpoint settings screen

    • Enter VPC A KMS Endpoint as the Name tag
    • Search for 'kms' under Services

    Search

  3. From the results select the KMS service name without the'-fips' suffix

    Search

  4. In the VPC section

    • Select VPC A from the dropdown
    • Expand the Additional settings section
    • Ensure that Enable DNS name is checked
    • Select the IPv4 radio button

    Select VPC

  5. Select VPC A Private Subnet AZ1 and VPC A Private Subnet AZ2 from the subnets and check the IPv4 radio button.

    Endpoint Subnets

  6. Select the default security group and leave the Policy as Full Access

    Endpoint Policy

  7. Click on Create endpoint button to create the VPC Endpoint for KMS in VPC A.

  8. Click on Close to return to the Endpoints screen.

Create a Gateway Endpoint for S3

  1. Click 'Create Endpoint' to start creating another VPC Endpoint

    Endpoints Screen

  2. In the Create endpoint screen, enter VPC A S3 Endpoint search for 'S3' by service name

    Service Search

  3. Select the endpoint that has a "Type" listed as "Gateway" and in the drop down box for VPC

    Select VPC

  4. Select VPC A as the VPC and check the checkbox for all the route tables

    Route Tables

  5. Leave the Policy as Full Access

    Full Access

  6. Click on Create endpoint button to create the VPC Endpoint for S3 attached to VPC A

    Endpoint Created

We have now gone through the bread and butter of AWS networking and built a networking foundation of public and private subnets across two availability zones with internet access and private connectivity to AWS service endpoints.

In the next section we will launch an EC2 instance into both a public subnet and a private subnet to verify the connectivity.