Should I use a an Interface VPC endpoint or a Gateway VPC endpoint?

0

Hello,

Firstly I would like my ECS task that resides inside my private subnet in my VPC to be able to pick up a file from a private S3 bucket which resides within the AWS Cloud but outside my VPC. Should I use an Interface VPC endpoint or a Gateway endpoint?

I would also like the same task to then publish a message to an SNS topic also residing outside my VPC, my question is again which VPC endpoint type to use and why?

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is. I get that with the Gateway endpoint you get a route added to the private subnet route table whereas with the Interface endpoint you get an ENI with a private IP for the service I want to hit.

Thanks for any help, it's my first time setting this up! :)

taxmann
質問済み 1年前3874ビュー
3回答
2
承認された回答

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is.

This is because some AWS services support Interface endpoint and others support Gateway endpoint. Use the one which your target service supports.

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-view-available-services

Here are the commands to check which services support Interface endpoint, and which support Gateway endpoint.

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --query ServiceNames 
[
    "aws.api.ap-northeast-1.kendra-ranking",
    "aws.sagemaker.ap-northeast-1.notebook",
    "aws.sagemaker.ap-northeast-1.studio",
    "com.amazonaws.ap-northeast-1.access-analyzer",
    "com.amazonaws.ap-northeast-1.acm-pca",
    "com.amazonaws.ap-northeast-1.airflow.api",
    "com.amazonaws.ap-northeast-1.airflow.env",
    "com.amazonaws.ap-northeast-1.airflow.ops",
    "com.amazonaws.ap-northeast-1.app-integrations",
    "com.amazonaws.ap-northeast-1.application-autoscaling",
    "com.amazonaws.ap-northeast-1.appmesh",
    "com.amazonaws.ap-northeast-1.appmesh-envoy-management",
    "com.amazonaws.ap-northeast-1.apprunner",
    "com.amazonaws.ap-northeast-1.apprunner.requests",
    "com.amazonaws.ap-northeast-1.appstream.api",
    "com.amazonaws.ap-northeast-1.appstream.streaming",
    "com.amazonaws.ap-northeast-1.appsync-api",
    "com.amazonaws.ap-northeast-1.aps",
    "com.amazonaws.ap-northeast-1.aps-workspaces",
    "com.amazonaws.ap-northeast-1.athena",
    "com.amazonaws.ap-northeast-1.auditmanager",
    "com.amazonaws.ap-northeast-1.autoscaling",
    "com.amazonaws.ap-northeast-1.autoscaling-plans",
    "com.amazonaws.ap-northeast-1.awsconnector",
    "com.amazonaws.ap-northeast-1.backup",
    "com.amazonaws.ap-northeast-1.backup-gateway",
    "com.amazonaws.ap-northeast-1.batch",
    "com.amazonaws.ap-northeast-1.cassandra",
    "com.amazonaws.ap-northeast-1.cleanrooms",
    "com.amazonaws.ap-northeast-1.cloudcontrolapi",
    "com.amazonaws.ap-northeast-1.cloudformation",
    "com.amazonaws.ap-northeast-1.cloudhsmv2",
    "com.amazonaws.ap-northeast-1.cloudtrail",
    "com.amazonaws.ap-northeast-1.codeartifact.api",
    "com.amazonaws.ap-northeast-1.codeartifact.repositories",
    "com.amazonaws.ap-northeast-1.codebuild",
    "com.amazonaws.ap-northeast-1.codecommit",
    "com.amazonaws.ap-northeast-1.codedeploy",
    "com.amazonaws.ap-northeast-1.codedeploy-commands-secure",
    "com.amazonaws.ap-northeast-1.codeguru-profiler",
    "com.amazonaws.ap-northeast-1.codeguru-reviewer",
    "com.amazonaws.ap-northeast-1.codepipeline",
    "com.amazonaws.ap-northeast-1.codestar-connections.api",
    "com.amazonaws.ap-northeast-1.comprehend",
    "com.amazonaws.ap-northeast-1.config",
    "com.amazonaws.ap-northeast-1.data-servicediscovery",
    "com.amazonaws.ap-northeast-1.databrew",
    "com.amazonaws.ap-northeast-1.dataexchange",
    "com.amazonaws.ap-northeast-1.datasync",
    "com.amazonaws.ap-northeast-1.deviceadvisor.iot",
    "com.amazonaws.ap-northeast-1.devops-guru",
    "com.amazonaws.ap-northeast-1.dms",
    "com.amazonaws.ap-northeast-1.drs",
    "com.amazonaws.ap-northeast-1.ebs",
    "com.amazonaws.ap-northeast-1.ec2",
    "com.amazonaws.ap-northeast-1.ec2messages",
    "com.amazonaws.ap-northeast-1.ecr.api",
    "com.amazonaws.ap-northeast-1.ecr.dkr",
    "com.amazonaws.ap-northeast-1.ecs",
    "com.amazonaws.ap-northeast-1.ecs-agent",
    "com.amazonaws.ap-northeast-1.ecs-telemetry",
    "com.amazonaws.ap-northeast-1.eks",
    "com.amazonaws.ap-northeast-1.elastic-inference.runtime",
    "com.amazonaws.ap-northeast-1.elasticache",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk-health",
    "com.amazonaws.ap-northeast-1.elasticfilesystem",
    "com.amazonaws.ap-northeast-1.elasticfilesystem-fips",
    "com.amazonaws.ap-northeast-1.elasticloadbalancing",
    "com.amazonaws.ap-northeast-1.elasticmapreduce",
    "com.amazonaws.ap-northeast-1.email-smtp",
    "com.amazonaws.ap-northeast-1.emr-containers",
    "com.amazonaws.ap-northeast-1.emr-serverless",
    "com.amazonaws.ap-northeast-1.events",
    "com.amazonaws.ap-northeast-1.evidently",
    "com.amazonaws.ap-northeast-1.evidently-dataplane",
    "com.amazonaws.ap-northeast-1.execute-api",
    "com.amazonaws.ap-northeast-1.fis",
    "com.amazonaws.ap-northeast-1.forecast",
    "com.amazonaws.ap-northeast-1.forecastquery",
    "com.amazonaws.ap-northeast-1.fsx",
    "com.amazonaws.ap-northeast-1.git-codecommit",
    "com.amazonaws.ap-northeast-1.glue",
    "com.amazonaws.ap-northeast-1.grafana",
    "com.amazonaws.ap-northeast-1.grafana-workspace",
    "com.amazonaws.ap-northeast-1.greengrass",
    "com.amazonaws.ap-northeast-1.guardduty-data",
    "com.amazonaws.ap-northeast-1.identitystore",
    "com.amazonaws.ap-northeast-1.imagebuilder",
    "com.amazonaws.ap-northeast-1.inspector2",
    "com.amazonaws.ap-northeast-1.iot.data",
    "com.amazonaws.ap-northeast-1.iot.fleethub.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.data",
    "com.amazonaws.ap-northeast-1.iotwireless.api",
    "com.amazonaws.ap-northeast-1.kendra",
    "com.amazonaws.ap-northeast-1.kinesis-firehose",
    "com.amazonaws.ap-northeast-1.kinesis-streams",
    "com.amazonaws.ap-northeast-1.kms",
    "com.amazonaws.ap-northeast-1.kms-fips",
    "com.amazonaws.ap-northeast-1.lakeformation",
    "com.amazonaws.ap-northeast-1.lambda",
    "com.amazonaws.ap-northeast-1.license-manager",
    "com.amazonaws.ap-northeast-1.license-manager-user-subscriptions",
    "com.amazonaws.ap-northeast-1.logs",
    "com.amazonaws.ap-northeast-1.lookoutmetrics",
    "com.amazonaws.ap-northeast-1.lookoutvision",
    "com.amazonaws.ap-northeast-1.lorawan.cups",
    "com.amazonaws.ap-northeast-1.lorawan.lns",
    "com.amazonaws.ap-northeast-1.m2",
    "com.amazonaws.ap-northeast-1.macie2",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.mainnet",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.testnet",
    "com.amazonaws.ap-northeast-1.mediaconnect",
    "com.amazonaws.ap-northeast-1.memory-db",
    "com.amazonaws.ap-northeast-1.mgn",
    "com.amazonaws.ap-northeast-1.migrationhub-orchestrator",
    "com.amazonaws.ap-northeast-1.migrationhub-strategy",
    "com.amazonaws.ap-northeast-1.models-v2-lex",
    "com.amazonaws.ap-northeast-1.monitoring",
    "com.amazonaws.ap-northeast-1.nimble",
    "com.amazonaws.ap-northeast-1.pca-connector-ad",
    "com.amazonaws.ap-northeast-1.personalize",
    "com.amazonaws.ap-northeast-1.personalize-events",
    "com.amazonaws.ap-northeast-1.personalize-runtime",
    "com.amazonaws.ap-northeast-1.pinpoint",
    "com.amazonaws.ap-northeast-1.pinpoint-sms-voice-v2",
    "com.amazonaws.ap-northeast-1.polly",
    "com.amazonaws.ap-northeast-1.profile",
    "com.amazonaws.ap-northeast-1.proton",
    "com.amazonaws.ap-northeast-1.qldb.session",
    "com.amazonaws.ap-northeast-1.rds",
    "com.amazonaws.ap-northeast-1.rds-data",
    "com.amazonaws.ap-northeast-1.redshift",
    "com.amazonaws.ap-northeast-1.redshift-data",
    "com.amazonaws.ap-northeast-1.refactor-spaces",
    "com.amazonaws.ap-northeast-1.rekognition",
    "com.amazonaws.ap-northeast-1.robomaker",
    "com.amazonaws.ap-northeast-1.rolesanywhere",
    "com.amazonaws.ap-northeast-1.rum",
    "com.amazonaws.ap-northeast-1.rum-dataplane",
    "com.amazonaws.ap-northeast-1.runtime-v2-lex",
    "com.amazonaws.ap-northeast-1.s3",
    "com.amazonaws.ap-northeast-1.s3-outposts",
    "com.amazonaws.ap-northeast-1.sagemaker.api",
    "com.amazonaws.ap-northeast-1.sagemaker.featurestore-runtime",
    "com.amazonaws.ap-northeast-1.sagemaker.metrics",
    "com.amazonaws.ap-northeast-1.sagemaker.runtime",
    "com.amazonaws.ap-northeast-1.secretsmanager",
    "com.amazonaws.ap-northeast-1.securityhub",
    "com.amazonaws.ap-northeast-1.servicecatalog",
    "com.amazonaws.ap-northeast-1.servicecatalog-appregistry",
    "com.amazonaws.ap-northeast-1.servicediscovery",
    "com.amazonaws.ap-northeast-1.simspaceweaver",
    "com.amazonaws.ap-northeast-1.sns",
    "com.amazonaws.ap-northeast-1.sqs",
    "com.amazonaws.ap-northeast-1.ssm",
    "com.amazonaws.ap-northeast-1.ssm-contacts",
    "com.amazonaws.ap-northeast-1.ssm-incidents",
    "com.amazonaws.ap-northeast-1.ssmmessages",
    "com.amazonaws.ap-northeast-1.states",
    "com.amazonaws.ap-northeast-1.storagegateway",
    "com.amazonaws.ap-northeast-1.streaming-rekognition",
    "com.amazonaws.ap-northeast-1.sts",
    "com.amazonaws.ap-northeast-1.swf",
    "com.amazonaws.ap-northeast-1.sync-states",
    "com.amazonaws.ap-northeast-1.synthetics",
    "com.amazonaws.ap-northeast-1.transcribe",
    "com.amazonaws.ap-northeast-1.transcribestreaming",
    "com.amazonaws.ap-northeast-1.transfer",
    "com.amazonaws.ap-northeast-1.transfer.server",
    "com.amazonaws.ap-northeast-1.translate",
    "com.amazonaws.ap-northeast-1.verifiedpermissions",
    "com.amazonaws.ap-northeast-1.voiceid",
    "com.amazonaws.ap-northeast-1.vpc-lattice",
    "com.amazonaws.ap-northeast-1.wisdom",
    "com.amazonaws.ap-northeast-1.workspaces",
    "com.amazonaws.ap-northeast-1.xray",
    "com.amazonaws.s3-global.accesspoint"
]

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Gateway Name=owner,Values=amazon --query ServiceNames 
[
    "com.amazonaws.ap-northeast-1.dynamodb",
    "com.amazonaws.ap-northeast-1.s3"
]

P.S.

S3 supports both Interface endpoint and Gateway endpoint, and their comparisons are described in this page. Gateway endpoints have an advantage that they will not incur charge, but they also have disadvantages that cross-region access or access from on-premises is not supported.

profile picture
HS
回答済み 1年前
profile picture
エキスパート
レビュー済み 3ヶ月前
  • Thanks for your comprehensive answer HS!

    Really helpful to see the commands and the lists. I also didn't know that Gateway endpoints don't incur a charge. I will read through the page you linked.

    For simplicity though I might just use interface endpoints for both.

1

If in same region then use gateway. For sns ensure you create the sns endpoint. Also running ecs you’ll need dkr endpoint etc.

ECS will need access to S3 also to download the images if using ECR.

It may be cheaper just to run a NAT gateway

profile picture
エキスパート
回答済み 1年前
  • Hello Gary, thank you for your answer.

    Everything is in the same region for me eu-west-2. I do have an NAT gateway associated with my private subnet as my monolith also needs to talk to a service that is outside the AWS cloud.

    I thought the advantage of the VPC endpoint however is that it means that traffic doesn't traverse the public internet when going to an AWS service like S3. However with the NAT gateway it does traverse the public internet. Please correct me if I'm wrong.

  • You are correct. Though i don’t work for amazon so im unsure how far the traffic gets before it stays internal before it hits the API end points.

1

Hi,

This article compares VPC endpoint vs interface in extensive details: https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Have a special look at summary chart toward the end.

Best,

Didier

profile pictureAWS
エキスパート
回答済み 1年前
  • This is a very helpful article.

    Thanks Didier!

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ