Difference between VPC Endpoints

Question

What is the difference between gateway and interface endpoints? I know former is based on routing while later is based on ENI but I feel what's going behind the scenes is still the same for both cases.
For gateway endpoints, I believe that  particular ip's (in the way of prefix list) are routed to S3/dynamodb service. But before that shouldn't a dns resolution happen? So if I say "aws s3 ls", dns should provide a private IP (which would be one of the prefix list) and then can routing can happen.
Isn't the concept still the same for interface endpoints? That is, a dns resolution to a private IP?

Answer

Yes, DNS resolution happens with both endpoints. You're correct in how you describe things.

For Gateway Endpoints you'll find that the DNS entry resolves to the public IP address for the S3 and DynamoDB services. The VPC then routes those IP addresses to the endpoint and you're connected with the services.

For Interface Endpoints (which are powered by PrivateLink) the DNS entry resolves to a private IP address that PrivateLink creates for the network interface in your VPC. Note that [as per the documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) you need to have DNS hostnames and DNS resolution enabled in your VPC for this to work. Also, there is a specific name for the endpoint that can also be used - but in most cases it is far easier to use the "normal" (public) endpoint name because it requires no application changes.

Difference between VPC Endpoints

相关内容