What is a VPC endpoint and why do we need one?

If you had an application hosted on an ec2 instance – and that application needed to call another service (e.g. S3, RDS, KMS), the app would need to leave the VPC –> out to the internet –> to the service API (port 443).
So – the EC2 instance inside the VPC would need some form on internet connectivity ( either through a NAT gateway or an internet gateway or a firewall proxy such as McAfee on AWS Proxy).

VPC endpoints completely remove the need for such convoluted internet access, by providing the service with a native AWS resource (a network resource).

One can keep all traffic between the VPC and AWS KMS within the AWS network.

Where does the endpoint live?

The endpoint is a network resource that lives in your VPC. The special thing about this network resource is that it provides a Network Interface to a specific AWS service.

Creating an Endpoint

  1. Step 1 – When you choose one or more subnets in a VPC to use your interface endpoint, AWS creates an endpoint network interface in each selected subnet.
  2. Step 2 – Associate security groups with the endpoint network interface. The security group must have a rule allowing traffic between the endpoint and the resources in the VPC that need to connect to the endpoint (typically just port 443) .
  3. Step 3 –  Optionally enable private DNS when connecting to the service, which allows requests to use the default DNS hostname. Private DNS is enabled by default for AWS and AWS Marketplace services.
  4. Step 4 – The owner of the service  (usually AWS itself, but can also be a third party from the Marketplace) – needs to accept the endpoint creation request.

TESTING Endpoint connectivity

Once you have completed the steps above and created your VPC endpoint, how do you test it?

Note: Replace myvpc-id with your VPC endpoint ID. Replace region with the AWS Region of your interface VPC endpoint.

$ telnet myvpc-id.execute-api.region.myvpc.amazonaws.com 443

The ec2 that is making the request needs outbound 443 open. The VPC endpoint (network interface) would have a SG associated with it. That SG needs inbound 443 open.

Summary

AWS’s documentation around VPC endpoints can be a little confusing. I struggled to understand why one was needed, how to provision one – and how to successfully test a provisioned endpoint. Hopefully, this guide helps you overcome some of those questions.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.