Should I use a an Interface VPC endpoint or a Gateway VPC endpoint?

0

Hello,

Firstly I would like my ECS task that resides inside my private subnet in my VPC to be able to pick up a file from a private S3 bucket which resides within the AWS Cloud but outside my VPC. Should I use an Interface VPC endpoint or a Gateway endpoint?

I would also like the same task to then publish a message to an SNS topic also residing outside my VPC, my question is again which VPC endpoint type to use and why?

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is. I get that with the Gateway endpoint you get a route added to the private subnet route table whereas with the Interface endpoint you get an ENI with a private IP for the service I want to hit.

Thanks for any help, it's my first time setting this up! :)

taxmann
질문됨 8달 전2475회 조회
3개 답변
1
수락된 답변

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is.

This is because some AWS services support Interface endpoint and others support Gateway endpoint. Use the one which your target service supports.

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-view-available-services

Here are the commands to check which services support Interface endpoint, and which support Gateway endpoint.

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --query ServiceNames 
[
    "aws.api.ap-northeast-1.kendra-ranking",
    "aws.sagemaker.ap-northeast-1.notebook",
    "aws.sagemaker.ap-northeast-1.studio",
    "com.amazonaws.ap-northeast-1.access-analyzer",
    "com.amazonaws.ap-northeast-1.acm-pca",
    "com.amazonaws.ap-northeast-1.airflow.api",
    "com.amazonaws.ap-northeast-1.airflow.env",
    "com.amazonaws.ap-northeast-1.airflow.ops",
    "com.amazonaws.ap-northeast-1.app-integrations",
    "com.amazonaws.ap-northeast-1.application-autoscaling",
    "com.amazonaws.ap-northeast-1.appmesh",
    "com.amazonaws.ap-northeast-1.appmesh-envoy-management",
    "com.amazonaws.ap-northeast-1.apprunner",
    "com.amazonaws.ap-northeast-1.apprunner.requests",
    "com.amazonaws.ap-northeast-1.appstream.api",
    "com.amazonaws.ap-northeast-1.appstream.streaming",
    "com.amazonaws.ap-northeast-1.appsync-api",
    "com.amazonaws.ap-northeast-1.aps",
    "com.amazonaws.ap-northeast-1.aps-workspaces",
    "com.amazonaws.ap-northeast-1.athena",
    "com.amazonaws.ap-northeast-1.auditmanager",
    "com.amazonaws.ap-northeast-1.autoscaling",
    "com.amazonaws.ap-northeast-1.autoscaling-plans",
    "com.amazonaws.ap-northeast-1.awsconnector",
    "com.amazonaws.ap-northeast-1.backup",
    "com.amazonaws.ap-northeast-1.backup-gateway",
    "com.amazonaws.ap-northeast-1.batch",
    "com.amazonaws.ap-northeast-1.cassandra",
    "com.amazonaws.ap-northeast-1.cleanrooms",
    "com.amazonaws.ap-northeast-1.cloudcontrolapi",
    "com.amazonaws.ap-northeast-1.cloudformation",
    "com.amazonaws.ap-northeast-1.cloudhsmv2",
    "com.amazonaws.ap-northeast-1.cloudtrail",
    "com.amazonaws.ap-northeast-1.codeartifact.api",
    "com.amazonaws.ap-northeast-1.codeartifact.repositories",
    "com.amazonaws.ap-northeast-1.codebuild",
    "com.amazonaws.ap-northeast-1.codecommit",
    "com.amazonaws.ap-northeast-1.codedeploy",
    "com.amazonaws.ap-northeast-1.codedeploy-commands-secure",
    "com.amazonaws.ap-northeast-1.codeguru-profiler",
    "com.amazonaws.ap-northeast-1.codeguru-reviewer",
    "com.amazonaws.ap-northeast-1.codepipeline",
    "com.amazonaws.ap-northeast-1.codestar-connections.api",
    "com.amazonaws.ap-northeast-1.comprehend",
    "com.amazonaws.ap-northeast-1.config",
    "com.amazonaws.ap-northeast-1.data-servicediscovery",
    "com.amazonaws.ap-northeast-1.databrew",
    "com.amazonaws.ap-northeast-1.dataexchange",
    "com.amazonaws.ap-northeast-1.datasync",
    "com.amazonaws.ap-northeast-1.deviceadvisor.iot",
    "com.amazonaws.ap-northeast-1.devops-guru",
    "com.amazonaws.ap-northeast-1.dms",
    "com.amazonaws.ap-northeast-1.drs",
    "com.amazonaws.ap-northeast-1.ebs",
    "com.amazonaws.ap-northeast-1.ec2",
    "com.amazonaws.ap-northeast-1.ec2messages",
    "com.amazonaws.ap-northeast-1.ecr.api",
    "com.amazonaws.ap-northeast-1.ecr.dkr",
    "com.amazonaws.ap-northeast-1.ecs",
    "com.amazonaws.ap-northeast-1.ecs-agent",
    "com.amazonaws.ap-northeast-1.ecs-telemetry",
    "com.amazonaws.ap-northeast-1.eks",
    "com.amazonaws.ap-northeast-1.elastic-inference.runtime",
    "com.amazonaws.ap-northeast-1.elasticache",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk-health",
    "com.amazonaws.ap-northeast-1.elasticfilesystem",
    "com.amazonaws.ap-northeast-1.elasticfilesystem-fips",
    "com.amazonaws.ap-northeast-1.elasticloadbalancing",
    "com.amazonaws.ap-northeast-1.elasticmapreduce",
    "com.amazonaws.ap-northeast-1.email-smtp",
    "com.amazonaws.ap-northeast-1.emr-containers",
    "com.amazonaws.ap-northeast-1.emr-serverless",
    "com.amazonaws.ap-northeast-1.events",
    "com.amazonaws.ap-northeast-1.evidently",
    "com.amazonaws.ap-northeast-1.evidently-dataplane",
    "com.amazonaws.ap-northeast-1.execute-api",
    "com.amazonaws.ap-northeast-1.fis",
    "com.amazonaws.ap-northeast-1.forecast",
    "com.amazonaws.ap-northeast-1.forecastquery",
    "com.amazonaws.ap-northeast-1.fsx",
    "com.amazonaws.ap-northeast-1.git-codecommit",
    "com.amazonaws.ap-northeast-1.glue",
    "com.amazonaws.ap-northeast-1.grafana",
    "com.amazonaws.ap-northeast-1.grafana-workspace",
    "com.amazonaws.ap-northeast-1.greengrass",
    "com.amazonaws.ap-northeast-1.guardduty-data",
    "com.amazonaws.ap-northeast-1.identitystore",
    "com.amazonaws.ap-northeast-1.imagebuilder",
    "com.amazonaws.ap-northeast-1.inspector2",
    "com.amazonaws.ap-northeast-1.iot.data",
    "com.amazonaws.ap-northeast-1.iot.fleethub.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.data",
    "com.amazonaws.ap-northeast-1.iotwireless.api",
    "com.amazonaws.ap-northeast-1.kendra",
    "com.amazonaws.ap-northeast-1.kinesis-firehose",
    "com.amazonaws.ap-northeast-1.kinesis-streams",
    "com.amazonaws.ap-northeast-1.kms",
    "com.amazonaws.ap-northeast-1.kms-fips",
    "com.amazonaws.ap-northeast-1.lakeformation",
    "com.amazonaws.ap-northeast-1.lambda",
    "com.amazonaws.ap-northeast-1.license-manager",
    "com.amazonaws.ap-northeast-1.license-manager-user-subscriptions",
    "com.amazonaws.ap-northeast-1.logs",
    "com.amazonaws.ap-northeast-1.lookoutmetrics",
    "com.amazonaws.ap-northeast-1.lookoutvision",
    "com.amazonaws.ap-northeast-1.lorawan.cups",
    "com.amazonaws.ap-northeast-1.lorawan.lns",
    "com.amazonaws.ap-northeast-1.m2",
    "com.amazonaws.ap-northeast-1.macie2",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.mainnet",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.testnet",
    "com.amazonaws.ap-northeast-1.mediaconnect",
    "com.amazonaws.ap-northeast-1.memory-db",
    "com.amazonaws.ap-northeast-1.mgn",
    "com.amazonaws.ap-northeast-1.migrationhub-orchestrator",
    "com.amazonaws.ap-northeast-1.migrationhub-strategy",
    "com.amazonaws.ap-northeast-1.models-v2-lex",
    "com.amazonaws.ap-northeast-1.monitoring",
    "com.amazonaws.ap-northeast-1.nimble",
    "com.amazonaws.ap-northeast-1.pca-connector-ad",
    "com.amazonaws.ap-northeast-1.personalize",
    "com.amazonaws.ap-northeast-1.personalize-events",
    "com.amazonaws.ap-northeast-1.personalize-runtime",
    "com.amazonaws.ap-northeast-1.pinpoint",
    "com.amazonaws.ap-northeast-1.pinpoint-sms-voice-v2",
    "com.amazonaws.ap-northeast-1.polly",
    "com.amazonaws.ap-northeast-1.profile",
    "com.amazonaws.ap-northeast-1.proton",
    "com.amazonaws.ap-northeast-1.qldb.session",
    "com.amazonaws.ap-northeast-1.rds",
    "com.amazonaws.ap-northeast-1.rds-data",
    "com.amazonaws.ap-northeast-1.redshift",
    "com.amazonaws.ap-northeast-1.redshift-data",
    "com.amazonaws.ap-northeast-1.refactor-spaces",
    "com.amazonaws.ap-northeast-1.rekognition",
    "com.amazonaws.ap-northeast-1.robomaker",
    "com.amazonaws.ap-northeast-1.rolesanywhere",
    "com.amazonaws.ap-northeast-1.rum",
    "com.amazonaws.ap-northeast-1.rum-dataplane",
    "com.amazonaws.ap-northeast-1.runtime-v2-lex",
    "com.amazonaws.ap-northeast-1.s3",
    "com.amazonaws.ap-northeast-1.s3-outposts",
    "com.amazonaws.ap-northeast-1.sagemaker.api",
    "com.amazonaws.ap-northeast-1.sagemaker.featurestore-runtime",
    "com.amazonaws.ap-northeast-1.sagemaker.metrics",
    "com.amazonaws.ap-northeast-1.sagemaker.runtime",
    "com.amazonaws.ap-northeast-1.secretsmanager",
    "com.amazonaws.ap-northeast-1.securityhub",
    "com.amazonaws.ap-northeast-1.servicecatalog",
    "com.amazonaws.ap-northeast-1.servicecatalog-appregistry",
    "com.amazonaws.ap-northeast-1.servicediscovery",
    "com.amazonaws.ap-northeast-1.simspaceweaver",
    "com.amazonaws.ap-northeast-1.sns",
    "com.amazonaws.ap-northeast-1.sqs",
    "com.amazonaws.ap-northeast-1.ssm",
    "com.amazonaws.ap-northeast-1.ssm-contacts",
    "com.amazonaws.ap-northeast-1.ssm-incidents",
    "com.amazonaws.ap-northeast-1.ssmmessages",
    "com.amazonaws.ap-northeast-1.states",
    "com.amazonaws.ap-northeast-1.storagegateway",
    "com.amazonaws.ap-northeast-1.streaming-rekognition",
    "com.amazonaws.ap-northeast-1.sts",
    "com.amazonaws.ap-northeast-1.swf",
    "com.amazonaws.ap-northeast-1.sync-states",
    "com.amazonaws.ap-northeast-1.synthetics",
    "com.amazonaws.ap-northeast-1.transcribe",
    "com.amazonaws.ap-northeast-1.transcribestreaming",
    "com.amazonaws.ap-northeast-1.transfer",
    "com.amazonaws.ap-northeast-1.transfer.server",
    "com.amazonaws.ap-northeast-1.translate",
    "com.amazonaws.ap-northeast-1.verifiedpermissions",
    "com.amazonaws.ap-northeast-1.voiceid",
    "com.amazonaws.ap-northeast-1.vpc-lattice",
    "com.amazonaws.ap-northeast-1.wisdom",
    "com.amazonaws.ap-northeast-1.workspaces",
    "com.amazonaws.ap-northeast-1.xray",
    "com.amazonaws.s3-global.accesspoint"
]

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Gateway Name=owner,Values=amazon --query ServiceNames 
[
    "com.amazonaws.ap-northeast-1.dynamodb",
    "com.amazonaws.ap-northeast-1.s3"
]

P.S.

S3 supports both Interface endpoint and Gateway endpoint, and their comparisons are described in this page. Gateway endpoints have an advantage that they will not incur charge, but they also have disadvantages that cross-region access or access from on-premises is not supported.

profile picture
HS
답변함 8달 전
  • Thanks for your comprehensive answer HS!

    Really helpful to see the commands and the lists. I also didn't know that Gateway endpoints don't incur a charge. I will read through the page you linked.

    For simplicity though I might just use interface endpoints for both.

1

If in same region then use gateway. For sns ensure you create the sns endpoint. Also running ecs you’ll need dkr endpoint etc.

ECS will need access to S3 also to download the images if using ECR.

It may be cheaper just to run a NAT gateway

profile picture
전문가
답변함 8달 전
  • Hello Gary, thank you for your answer.

    Everything is in the same region for me eu-west-2. I do have an NAT gateway associated with my private subnet as my monolith also needs to talk to a service that is outside the AWS cloud.

    I thought the advantage of the VPC endpoint however is that it means that traffic doesn't traverse the public internet when going to an AWS service like S3. However with the NAT gateway it does traverse the public internet. Please correct me if I'm wrong.

  • You are correct. Though i don’t work for amazon so im unsure how far the traffic gets before it stays internal before it hits the API end points.

1

Hi,

This article compares VPC endpoint vs interface in extensive details: https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Have a special look at summary chart toward the end.

Best,

Didier

profile pictureAWS
전문가
답변함 8달 전
  • This is a very helpful article.

    Thanks Didier!

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠