Should I use a an Interface VPC endpoint or a Gateway VPC endpoint?

0

Hello,

Firstly I would like my ECS task that resides inside my private subnet in my VPC to be able to pick up a file from a private S3 bucket which resides within the AWS Cloud but outside my VPC. Should I use an Interface VPC endpoint or a Gateway endpoint?

I would also like the same task to then publish a message to an SNS topic also residing outside my VPC, my question is again which VPC endpoint type to use and why?

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is. I get that with the Gateway endpoint you get a route added to the private subnet route table whereas with the Interface endpoint you get an ENI with a private IP for the service I want to hit.

Thanks for any help, it's my first time setting this up! :)

taxmann
已提问 8 个月前2419 查看次数
3 回答
1
已接受的回答

The AWS docs seem to relate Gateway endpoints specifically to S3, whereas SNS on the diagram in the docs seems to be using an Interface Endpoint.

But I'm not sure what the advantages/disadvantages of using one or the other is.

This is because some AWS services support Interface endpoint and others support Gateway endpoint. Use the one which your target service supports.

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html#vpce-view-available-services

Here are the commands to check which services support Interface endpoint, and which support Gateway endpoint.

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Interface Name=owner,Values=amazon --query ServiceNames 
[
    "aws.api.ap-northeast-1.kendra-ranking",
    "aws.sagemaker.ap-northeast-1.notebook",
    "aws.sagemaker.ap-northeast-1.studio",
    "com.amazonaws.ap-northeast-1.access-analyzer",
    "com.amazonaws.ap-northeast-1.acm-pca",
    "com.amazonaws.ap-northeast-1.airflow.api",
    "com.amazonaws.ap-northeast-1.airflow.env",
    "com.amazonaws.ap-northeast-1.airflow.ops",
    "com.amazonaws.ap-northeast-1.app-integrations",
    "com.amazonaws.ap-northeast-1.application-autoscaling",
    "com.amazonaws.ap-northeast-1.appmesh",
    "com.amazonaws.ap-northeast-1.appmesh-envoy-management",
    "com.amazonaws.ap-northeast-1.apprunner",
    "com.amazonaws.ap-northeast-1.apprunner.requests",
    "com.amazonaws.ap-northeast-1.appstream.api",
    "com.amazonaws.ap-northeast-1.appstream.streaming",
    "com.amazonaws.ap-northeast-1.appsync-api",
    "com.amazonaws.ap-northeast-1.aps",
    "com.amazonaws.ap-northeast-1.aps-workspaces",
    "com.amazonaws.ap-northeast-1.athena",
    "com.amazonaws.ap-northeast-1.auditmanager",
    "com.amazonaws.ap-northeast-1.autoscaling",
    "com.amazonaws.ap-northeast-1.autoscaling-plans",
    "com.amazonaws.ap-northeast-1.awsconnector",
    "com.amazonaws.ap-northeast-1.backup",
    "com.amazonaws.ap-northeast-1.backup-gateway",
    "com.amazonaws.ap-northeast-1.batch",
    "com.amazonaws.ap-northeast-1.cassandra",
    "com.amazonaws.ap-northeast-1.cleanrooms",
    "com.amazonaws.ap-northeast-1.cloudcontrolapi",
    "com.amazonaws.ap-northeast-1.cloudformation",
    "com.amazonaws.ap-northeast-1.cloudhsmv2",
    "com.amazonaws.ap-northeast-1.cloudtrail",
    "com.amazonaws.ap-northeast-1.codeartifact.api",
    "com.amazonaws.ap-northeast-1.codeartifact.repositories",
    "com.amazonaws.ap-northeast-1.codebuild",
    "com.amazonaws.ap-northeast-1.codecommit",
    "com.amazonaws.ap-northeast-1.codedeploy",
    "com.amazonaws.ap-northeast-1.codedeploy-commands-secure",
    "com.amazonaws.ap-northeast-1.codeguru-profiler",
    "com.amazonaws.ap-northeast-1.codeguru-reviewer",
    "com.amazonaws.ap-northeast-1.codepipeline",
    "com.amazonaws.ap-northeast-1.codestar-connections.api",
    "com.amazonaws.ap-northeast-1.comprehend",
    "com.amazonaws.ap-northeast-1.config",
    "com.amazonaws.ap-northeast-1.data-servicediscovery",
    "com.amazonaws.ap-northeast-1.databrew",
    "com.amazonaws.ap-northeast-1.dataexchange",
    "com.amazonaws.ap-northeast-1.datasync",
    "com.amazonaws.ap-northeast-1.deviceadvisor.iot",
    "com.amazonaws.ap-northeast-1.devops-guru",
    "com.amazonaws.ap-northeast-1.dms",
    "com.amazonaws.ap-northeast-1.drs",
    "com.amazonaws.ap-northeast-1.ebs",
    "com.amazonaws.ap-northeast-1.ec2",
    "com.amazonaws.ap-northeast-1.ec2messages",
    "com.amazonaws.ap-northeast-1.ecr.api",
    "com.amazonaws.ap-northeast-1.ecr.dkr",
    "com.amazonaws.ap-northeast-1.ecs",
    "com.amazonaws.ap-northeast-1.ecs-agent",
    "com.amazonaws.ap-northeast-1.ecs-telemetry",
    "com.amazonaws.ap-northeast-1.eks",
    "com.amazonaws.ap-northeast-1.elastic-inference.runtime",
    "com.amazonaws.ap-northeast-1.elasticache",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk",
    "com.amazonaws.ap-northeast-1.elasticbeanstalk-health",
    "com.amazonaws.ap-northeast-1.elasticfilesystem",
    "com.amazonaws.ap-northeast-1.elasticfilesystem-fips",
    "com.amazonaws.ap-northeast-1.elasticloadbalancing",
    "com.amazonaws.ap-northeast-1.elasticmapreduce",
    "com.amazonaws.ap-northeast-1.email-smtp",
    "com.amazonaws.ap-northeast-1.emr-containers",
    "com.amazonaws.ap-northeast-1.emr-serverless",
    "com.amazonaws.ap-northeast-1.events",
    "com.amazonaws.ap-northeast-1.evidently",
    "com.amazonaws.ap-northeast-1.evidently-dataplane",
    "com.amazonaws.ap-northeast-1.execute-api",
    "com.amazonaws.ap-northeast-1.fis",
    "com.amazonaws.ap-northeast-1.forecast",
    "com.amazonaws.ap-northeast-1.forecastquery",
    "com.amazonaws.ap-northeast-1.fsx",
    "com.amazonaws.ap-northeast-1.git-codecommit",
    "com.amazonaws.ap-northeast-1.glue",
    "com.amazonaws.ap-northeast-1.grafana",
    "com.amazonaws.ap-northeast-1.grafana-workspace",
    "com.amazonaws.ap-northeast-1.greengrass",
    "com.amazonaws.ap-northeast-1.guardduty-data",
    "com.amazonaws.ap-northeast-1.identitystore",
    "com.amazonaws.ap-northeast-1.imagebuilder",
    "com.amazonaws.ap-northeast-1.inspector2",
    "com.amazonaws.ap-northeast-1.iot.data",
    "com.amazonaws.ap-northeast-1.iot.fleethub.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.api",
    "com.amazonaws.ap-northeast-1.iotsitewise.data",
    "com.amazonaws.ap-northeast-1.iotwireless.api",
    "com.amazonaws.ap-northeast-1.kendra",
    "com.amazonaws.ap-northeast-1.kinesis-firehose",
    "com.amazonaws.ap-northeast-1.kinesis-streams",
    "com.amazonaws.ap-northeast-1.kms",
    "com.amazonaws.ap-northeast-1.kms-fips",
    "com.amazonaws.ap-northeast-1.lakeformation",
    "com.amazonaws.ap-northeast-1.lambda",
    "com.amazonaws.ap-northeast-1.license-manager",
    "com.amazonaws.ap-northeast-1.license-manager-user-subscriptions",
    "com.amazonaws.ap-northeast-1.logs",
    "com.amazonaws.ap-northeast-1.lookoutmetrics",
    "com.amazonaws.ap-northeast-1.lookoutvision",
    "com.amazonaws.ap-northeast-1.lorawan.cups",
    "com.amazonaws.ap-northeast-1.lorawan.lns",
    "com.amazonaws.ap-northeast-1.m2",
    "com.amazonaws.ap-northeast-1.macie2",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.mainnet",
    "com.amazonaws.ap-northeast-1.managedblockchain.bitcoin.testnet",
    "com.amazonaws.ap-northeast-1.mediaconnect",
    "com.amazonaws.ap-northeast-1.memory-db",
    "com.amazonaws.ap-northeast-1.mgn",
    "com.amazonaws.ap-northeast-1.migrationhub-orchestrator",
    "com.amazonaws.ap-northeast-1.migrationhub-strategy",
    "com.amazonaws.ap-northeast-1.models-v2-lex",
    "com.amazonaws.ap-northeast-1.monitoring",
    "com.amazonaws.ap-northeast-1.nimble",
    "com.amazonaws.ap-northeast-1.pca-connector-ad",
    "com.amazonaws.ap-northeast-1.personalize",
    "com.amazonaws.ap-northeast-1.personalize-events",
    "com.amazonaws.ap-northeast-1.personalize-runtime",
    "com.amazonaws.ap-northeast-1.pinpoint",
    "com.amazonaws.ap-northeast-1.pinpoint-sms-voice-v2",
    "com.amazonaws.ap-northeast-1.polly",
    "com.amazonaws.ap-northeast-1.profile",
    "com.amazonaws.ap-northeast-1.proton",
    "com.amazonaws.ap-northeast-1.qldb.session",
    "com.amazonaws.ap-northeast-1.rds",
    "com.amazonaws.ap-northeast-1.rds-data",
    "com.amazonaws.ap-northeast-1.redshift",
    "com.amazonaws.ap-northeast-1.redshift-data",
    "com.amazonaws.ap-northeast-1.refactor-spaces",
    "com.amazonaws.ap-northeast-1.rekognition",
    "com.amazonaws.ap-northeast-1.robomaker",
    "com.amazonaws.ap-northeast-1.rolesanywhere",
    "com.amazonaws.ap-northeast-1.rum",
    "com.amazonaws.ap-northeast-1.rum-dataplane",
    "com.amazonaws.ap-northeast-1.runtime-v2-lex",
    "com.amazonaws.ap-northeast-1.s3",
    "com.amazonaws.ap-northeast-1.s3-outposts",
    "com.amazonaws.ap-northeast-1.sagemaker.api",
    "com.amazonaws.ap-northeast-1.sagemaker.featurestore-runtime",
    "com.amazonaws.ap-northeast-1.sagemaker.metrics",
    "com.amazonaws.ap-northeast-1.sagemaker.runtime",
    "com.amazonaws.ap-northeast-1.secretsmanager",
    "com.amazonaws.ap-northeast-1.securityhub",
    "com.amazonaws.ap-northeast-1.servicecatalog",
    "com.amazonaws.ap-northeast-1.servicecatalog-appregistry",
    "com.amazonaws.ap-northeast-1.servicediscovery",
    "com.amazonaws.ap-northeast-1.simspaceweaver",
    "com.amazonaws.ap-northeast-1.sns",
    "com.amazonaws.ap-northeast-1.sqs",
    "com.amazonaws.ap-northeast-1.ssm",
    "com.amazonaws.ap-northeast-1.ssm-contacts",
    "com.amazonaws.ap-northeast-1.ssm-incidents",
    "com.amazonaws.ap-northeast-1.ssmmessages",
    "com.amazonaws.ap-northeast-1.states",
    "com.amazonaws.ap-northeast-1.storagegateway",
    "com.amazonaws.ap-northeast-1.streaming-rekognition",
    "com.amazonaws.ap-northeast-1.sts",
    "com.amazonaws.ap-northeast-1.swf",
    "com.amazonaws.ap-northeast-1.sync-states",
    "com.amazonaws.ap-northeast-1.synthetics",
    "com.amazonaws.ap-northeast-1.transcribe",
    "com.amazonaws.ap-northeast-1.transcribestreaming",
    "com.amazonaws.ap-northeast-1.transfer",
    "com.amazonaws.ap-northeast-1.transfer.server",
    "com.amazonaws.ap-northeast-1.translate",
    "com.amazonaws.ap-northeast-1.verifiedpermissions",
    "com.amazonaws.ap-northeast-1.voiceid",
    "com.amazonaws.ap-northeast-1.vpc-lattice",
    "com.amazonaws.ap-northeast-1.wisdom",
    "com.amazonaws.ap-northeast-1.workspaces",
    "com.amazonaws.ap-northeast-1.xray",
    "com.amazonaws.s3-global.accesspoint"
]

$ aws ec2 describe-vpc-endpoint-services --filters Name=service-type,Values=Gateway Name=owner,Values=amazon --query ServiceNames 
[
    "com.amazonaws.ap-northeast-1.dynamodb",
    "com.amazonaws.ap-northeast-1.s3"
]

P.S.

S3 supports both Interface endpoint and Gateway endpoint, and their comparisons are described in this page. Gateway endpoints have an advantage that they will not incur charge, but they also have disadvantages that cross-region access or access from on-premises is not supported.

profile picture
HS
已回答 8 个月前
  • Thanks for your comprehensive answer HS!

    Really helpful to see the commands and the lists. I also didn't know that Gateway endpoints don't incur a charge. I will read through the page you linked.

    For simplicity though I might just use interface endpoints for both.

1

If in same region then use gateway. For sns ensure you create the sns endpoint. Also running ecs you’ll need dkr endpoint etc.

ECS will need access to S3 also to download the images if using ECR.

It may be cheaper just to run a NAT gateway

profile picture
专家
已回答 8 个月前
  • Hello Gary, thank you for your answer.

    Everything is in the same region for me eu-west-2. I do have an NAT gateway associated with my private subnet as my monolith also needs to talk to a service that is outside the AWS cloud.

    I thought the advantage of the VPC endpoint however is that it means that traffic doesn't traverse the public internet when going to an AWS service like S3. However with the NAT gateway it does traverse the public internet. Please correct me if I'm wrong.

  • You are correct. Though i don’t work for amazon so im unsure how far the traffic gets before it stays internal before it hits the API end points.

1

Hi,

This article compares VPC endpoint vs interface in extensive details: https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Have a special look at summary chart toward the end.

Best,

Didier

profile pictureAWS
专家
已回答 8 个月前
  • This is a very helpful article.

    Thanks Didier!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则