Today we are going to talk about VPC endpoint in the Amazon AWS. VPC endpoint allows you to connect your VPC to supported AWS and endpoint services privately.
There is no requirement for a direct link, VPN, NAT device, or internet gateway. Instances in VPC don't require public IP addresses to communicate with AWS resources, and traffic between VPC and services never leaves the amazon network
Endpoints are the virtual devices and are highly available components that allow communication between instances in your VPC and services without imposing any risk of availability or bandwidth constraints on network traffic.
Below is the VPC endpoint with Private and Public Subnets.
 |
| Fig 1.1- Amazon AWS- VPC Endpoint |
There are two types of VPC endpoints:
Interface Endpoints: It is an elastic network interface with a private IP address that serves as an entry point for traffic destined to supported service.
Gateway Endpoints: It creates entries in the routing table and points them to a private endpoint. There are two services that Gateway Endpoint supports:
VPC Private Link
It's the best way of communication between service VPC and multiple customer VPCs at once. Tens and thousands of VPC can connect without using any VPC peering or internet connection.
 |
| Fig 1.2- VPC Private Link |
Transit Gateway:
It's a single point to which all the network connections can connect into. It allows transitive peering and operates on Hub and spoke model. It can work on a regional basis, and multiple AWS accounts can be connected using the Resource access manager.
 |
| Fig 1.3- AWS VPC Transit Gateway |
VPN Hub:
It's a single point of contact to connect your VPN infrastructure into. If we have multiple sites with a VPN connection, AWS VPN cloud Hub can connect those sites. It used Hub and spoke model. It is low cost and easy to manage.
 |
| Fig 1.4- AWS VPN Hub |
AWS VPN costs
Always prefer to use private IP addresses over public IP addresses to save on cost. Communication between the same availability zone using private IP addresses is free of cost, whereas there is a charge of communication between different availability zones and between different regions or VPC accounts.
If you want to cut the cost, place all the instances in the same availability zone and use a private IP address. But, always keep in mind the drawback of putting them in the same availability zone, i.e., there will be a single point of failure.
Author: Amandeep Kaur, Network Engineer
