AWSGlossary

VPC Endpoint: What It Is and When to Use It

Definition

A VPC Endpoint enables you to create a private, secure connection between your Amazon Virtual Private Cloud (VPC) and supported AWS services without requiring the traffic to traverse the public internet. This architecture enhances security by keeping network traffic within the AWS network, simplifies network management, and can reduce data transfer costs.

How It Works

VPC Endpoints are virtual devices that are horizontally scaled, redundant, and highly available. They function as a private entry point to supported AWS services, eliminating the need for an Internet Gateway, NAT Gateway, VPN connection, or AWS Direct Connect for accessing those services. There are two main types of VPC Endpoints: Gateway Endpoints and Interface Endpoints.

Gateway Endpoints

Gateway Endpoints are used to access Amazon S3 and Amazon DynamoDB. They function as a target for a route in your VPC's route table. When you create a Gateway Endpoint, you specify the VPC and the route tables of the subnets that should use the endpoint. AWS automatically adds a route to the specified route tables that directs traffic destined for the service (S3 or DynamoDB) to the endpoint.

  • Architecture: A gateway that you specify as a target for a route in your route table.
  • Supported Services: Amazon S3 and Amazon DynamoDB only.
  • Cost: There are no additional charges for using Gateway Endpoints.
  • Access: They cannot be accessed from on-premises networks via VPN or Direct Connect, or from peered VPCs in other regions.

Interface Endpoints

Interface Endpoints, powered by AWS PrivateLink, support a much wider range of AWS services, as well as services hosted by other AWS customers and partners. An Interface Endpoint is an Elastic Network Interface (ENI) with a private IP address from your subnet's IP range that serves as an entry point for traffic going to the service. When you use an Interface Endpoint, DNS queries for the service will resolve to the private IP address of the ENI, ensuring traffic stays within the AWS network.

  • Architecture: An ENI with a private IP address deployed in your subnet.
  • Supported Services: A broad range of AWS services like Amazon EC2, Amazon SQS, AWS Lambda, and many more, plus third-party services available on AWS Marketplace.
  • Cost: Interface Endpoints have an hourly charge for each Availability Zone they are enabled in, plus a per-GB data processing charge.
  • Access: They can be accessed from on-premises networks (via VPN or Direct Connect) and from other VPCs (via VPC Peering or Transit Gateway).

Both endpoint types support Endpoint Policies, which are IAM resource policies that you can attach to an endpoint to control which principals can perform which actions on which resources.

Key Features and Limits

  • Security: Keeps traffic private and off the public internet, reducing exposure to threats. Endpoint policies provide granular access control.
  • AWS PrivateLink: The technology underpinning Interface Endpoints, allowing private connectivity to services across different VPCs and accounts.
  • Bandwidth: By default, each Interface Endpoint can support a bandwidth of up to 10 Gbps per Availability Zone and can burst up to 100 Gbps.
  • Service Quotas (as of 2026):
    • Gateway Endpoints per Region: 255 per VPC.
    • Interface Endpoints per VPC: This is a soft limit that can be increased.
    • VPC Peering Connections per VPC: 125 (can be a related consideration).
    • Endpoint Policy Size: 20,480 characters.

Common Use Cases

  1. Secure Access for Private Subnets: Allow EC2 instances in a private subnet to access AWS services like Amazon S3, DynamoDB, or AWS Systems Manager without a NAT Gateway, improving security and reducing cost.
  2. Hybrid Cloud Connectivity: Enable on-premises applications connected via AWS Direct Connect or VPN to securely access AWS services without routing traffic over the internet.
  3. Meeting Compliance Requirements: Fulfill regulatory and compliance mandates (like PCI, HIPAA) that require traffic to be isolated from the public internet.
  4. Centralized Service Access: In a multi-VPC architecture using AWS Transit Gateway, you can centralize Interface Endpoints in a shared services VPC to provide private access for all connected spoke VPCs, simplifying management and reducing costs.
  5. Private Service Exposure (with PrivateLink): Use an Interface Endpoint to securely expose a service running in your VPC to consumers in other VPCs, even across different AWS accounts, without using VPC Peering.

Pricing Model

The pricing for VPC Endpoints varies significantly by type:

  • Gateway Endpoints: There are no hourly or data processing charges for Gateway Endpoints (for S3 and DynamoDB). You are only billed for standard data transfer and resource usage for the services themselves.
  • Interface Endpoints: These have two pricing dimensions:
    • Hourly Charge: You are billed for each hour that an Interface Endpoint is provisioned in each Availability Zone.
    • Data Processing Charge: You are billed per Gigabyte (GB) of data processed through the Interface Endpoint.
  • Gateway Load Balancer Endpoints: These follow a similar pricing model to Interface Endpoints, with hourly and data processing charges.

For detailed, region-specific pricing, always consult the official AWS PrivateLink pricing page.

Pros and Cons

Pros:

  • Enhanced Security: Traffic does not traverse the public internet, reducing the attack surface.
  • Simplified Networking: Removes the need for Internet Gateways, NAT Gateways, or public IP addresses for accessing supported AWS services.
  • Cost Savings: Gateway Endpoints are free. Interface Endpoints can be significantly cheaper than using a NAT Gateway for AWS service traffic due to lower data processing fees.
  • Improved Performance: Provides a more direct, lower-latency path to AWS services compared to routing over the internet.

Cons:

  • Cost for Interface Endpoints: The hourly and data processing fees for Interface Endpoints can add up, especially if you need endpoints for many services across multiple AZs.
  • Service Limitations: Gateway Endpoints are only available for Amazon S3 and DynamoDB.
  • Regional Scope: Endpoints are regional and cannot be used to access services in a different AWS Region.
  • Configuration Complexity: Managing endpoint policies and DNS settings for Interface Endpoints can be more complex than using a simple NAT Gateway.

Comparison with Alternatives

VPC Endpoint vs. NAT Gateway

  • Purpose: A VPC Endpoint is for providing private access to specific, supported AWS services. A NAT Gateway provides general outbound internet access for instances in private subnets to reach any destination on the internet, including non-AWS APIs or software update repositories.
  • Cost: For traffic to AWS services, VPC Endpoints are almost always more cost-effective. Gateway Endpoints are free, and Interface Endpoints have a data processing fee that is ~78% lower than a NAT Gateway's.
  • Security: VPC Endpoints are more secure as they keep traffic on the AWS network. Traffic through a NAT Gateway goes to the public internet before reaching its destination.
  • Conclusion: Use VPC Endpoints for all supported AWS service traffic. Use a NAT Gateway only when general outbound internet access is required.

VPC Endpoint (PrivateLink) vs. VPC Peering

  • Scope: VPC Peering connects two entire VPCs, allowing for broad, bidirectional communication between resources in both (subject to security groups and route tables). An Interface Endpoint (via PrivateLink) provides specific, unidirectional access from a consumer VPC to a particular service in a provider VPC.
  • Overlapping CIDRs: VPC Peering does not support connecting VPCs with overlapping IP address ranges. PrivateLink works fine with overlapping CIDRs.
  • Transitivity: Neither is transitive. However, PrivateLink's service-specific nature makes it a better fit for hub-and-spoke models where spokes need to access a central service without being able to communicate with each other.

Exam Relevance

VPC Endpoints are a fundamental networking concept and feature prominently in several AWS certification exams.

  • AWS Certified Cloud Practitioner (CLF-C02): Understand the basic purpose of a VPC Endpoint—providing private access to AWS services.
  • AWS Certified Solutions Architect – Associate (SAA-C03): A core topic. You must know the difference between Gateway and Interface Endpoints, their primary use cases (S3/DynamoDB vs. others), and when to choose an endpoint over a NAT Gateway for security and cost optimization.
  • AWS Certified Solutions Architect – Professional (SAP-C02) & Advanced Networking – Specialty (ANS-C01): Expect in-depth questions on complex scenarios involving AWS PrivateLink, hybrid connectivity from on-premises, centralized endpoint architectures with Transit Gateway, and troubleshooting DNS resolution and endpoint policies.

Frequently Asked Questions

Q: What is the main difference between a Gateway Endpoint and an Interface Endpoint?

A: The primary differences are the supported services and the architecture. Gateway Endpoints are free, use route table entries, and only support Amazon S3 and DynamoDB. Interface Endpoints (powered by AWS PrivateLink) support a wide variety of AWS services, appear as a network interface (ENI) in your subnet, and have hourly and data-processing costs.

Q: Do I still need a NAT Gateway if I use VPC Endpoints?

A: It depends on your workload. If your private instances only need to communicate with AWS services that are supported by VPC Endpoints, you may not need a NAT Gateway. However, if those instances also need to access the broader internet for things like downloading software updates or calling third-party APIs, you will still need a NAT Gateway.

Q: Can a VPC Endpoint connect to services in another AWS Region?

A: No, VPC Endpoints are a regional resource. They can only connect to services within the same AWS Region. While you can create an Interface Endpoint to connect to a service in another region, this involves cross-region data transfer charges and is configured as a remote-region service.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/11/2026 / Updated: 5/13/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

CloudFront Signed URLs: Secure Private Content Access

CloudFront Signed URLs provide temporary, secure access to private content via CloudFront CDN. Protect paid media, docs, or downloads. Learn how to use them.

View all Networking terms →