VPC Security: Endpoints, PrivateLink & Network Controls
Difficulty: medium
Overview
VPC endpoints enable private connectivity to AWS services without internet traversal.
VPC Endpoint Types:
| Type | Services | Route Table Change | Cost |
|---|---|---|---|
| Gateway | S3, DynamoDB | ✅ Added automatically | Free |
| Interface (PrivateLink) | 100+ AWS services | ❌ Uses DNS | Per-hour + data |
Gateway Endpoints:
- Route table entry added pointing to S3/DynamoDB endpoint
- No elastic network interface; no security group
- Endpoint policy can restrict access (e.g., only allow your account's buckets)
Interface Endpoints (PrivateLink):
- Creates an ENI in your subnet with a private IP
- Private DNS: resolves the public service hostname to the private IP (enable Private DNS setting)
- Requires DNS resolution and DNS hostnames enabled in VPC
- Security group attached to the ENI to control access
S3 Bucket Policy Enforcement via VPC Endpoint:
{ "Effect": "Deny", "Action": "s3:*", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-xxxxxxxx" } } }
VPC Endpoint Service (PrivateLink for your own services):
- Expose your service (behind NLB) to other VPCs/accounts privately
- Consumer creates an Interface Endpoint pointing to your service
- Traffic stays on AWS backbone; no VPC peering needed
- No IP overlap concern (unlike VPC peering)
PrivateLink vs VPC Peering:
| PrivateLink | VPC Peering | |
|---|---|---|
| Direction | One-way (service to consumer) | Bidirectional |
| IP overlap | Allowed | Not allowed |
| Transitive routing | N/A | Not supported |
| Use case | Service exposure | Full VPC connectivity |
VPC Endpoint Policies:
- Resource-based policies on the endpoint
- Restrict which principals can use the endpoint and what they can do
- Does not replace bucket/resource policies — they work together
Practice Linked Questions
Q1. Which type of VPC endpoint is used to privately access services like Amazon SQS, AWS KMS, and AWS Secrets Manager without traffic traversing the internet?
Select one answer before revealing.
Q2. A company wants to expose their internal service (on NLB) to consumers in other AWS accounts WITHOUT VPC peering, internet exposure, or IP overlap concerns. What enables this?
Select one answer before revealing.
Q3. A company has a VPC Gateway endpoint for S3. They want to restrict the endpoint so it can ONLY be used to access S3 buckets owned by their own AWS account. How is this configured?
Select one answer before revealing.
Q4. A company's VPC Flow Logs show a large volume of REJECT records between an EC2 instance (10.0.1.50) and an external IP (192.168.50.1). What does this MOST likely indicate?
Select one answer before revealing.