Task Statement 1.2: Design secure workloads and applications.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is an AWS Service Endpoint?
An AWS service endpoint is basically a network entry point that allows your AWS resources (like EC2 instances, Lambda functions, or on-premises servers) to connect to AWS services such as S3, DynamoDB, or SNS.
Think of it like a doorway that lets your resource talk to AWS services securely.
- Without endpoints, your resources might need to go through the public internet, which can be slower and less secure.
- With endpoints, you can keep traffic within the AWS network, which is faster and more secure.
2. Types of AWS Service Endpoints
AWS provides mainly two types of service endpoints:
A. Public Endpoints
- This is the default for most AWS services.
- Resources access the service over the public internet, even if they are in a VPC.
- Security can be enhanced using:
- IAM policies (who can access the service)
- Encryption (HTTPS)
- Network ACLs / Security Groups
- Example: An EC2 instance accessing an S3 bucket using the public S3 endpoint.
B. Private Endpoints (VPC Endpoints)
- These allow your resources in a VPC (Virtual Private Cloud) to access AWS services without going through the internet.
- Traffic stays inside the AWS network, which improves security.
- Two main types of private endpoints:
- Interface Endpoints
- Connects to services using Elastic Network Interfaces (ENIs).
- Supports most AWS services like:
- S3
- SNS
- Secrets Manager
- EC2 API calls
- Example: Your EC2 in a private subnet connects to AWS Secrets Manager without leaving the AWS network.
- Gateway Endpoints
- Only for S3 and DynamoDB.
- Added to the route table of a VPC.
- Automatically routes requests to S3/DynamoDB without public internet.
- Example: Your EC2 in a private subnet uploads files to S3 privately, using the gateway endpoint.
3. Benefits of Using VPC Endpoints
- Increased Security: Traffic doesn’t go through the internet, reducing exposure to threats.
- Better Performance: Private AWS network is faster than public internet.
- No Need for NAT Gateways or Internet Access:
- Normally, private subnets need NAT to access AWS services over the internet.
- With VPC endpoints, NAT is not needed.
- Fine-Grained Access Control:
- You can use endpoint policies to restrict which resources can access the service.
- Example: Allow only EC2 instances in a specific subnet to access a particular S3 bucket.
4. How AWS Endpoints Work in a VPC
Here’s a simple diagram in words:
- EC2 instance in a private subnet wants to access S3.
- If no VPC endpoint exists → traffic goes through NAT → then public internet → S3.
- If a gateway VPC endpoint exists → traffic goes directly from the private subnet → AWS network → S3 (no internet).
Key point: Private endpoints keep your traffic internal, which is recommended for secure workloads.
5. Important Considerations for the Exam
- Not all services support private endpoints. Check the AWS documentation for which services support interface or gateway endpoints.
- Gateway endpoints are only for S3 and DynamoDB.
- Interface endpoints create ENIs in your VPC, which can affect IP address planning.
- Endpoint policies are optional but recommended for tight security control.
- Using endpoints can help meet compliance requirements since data doesn’t traverse the public internet.
6. Quick Exam Tips
- Be able to differentiate between public and private endpoints.
- Know the types of VPC endpoints:
- Interface → ENI → many AWS services
- Gateway → S3 and DynamoDB → route table
- Understand why endpoints improve security.
- Remember: Endpoints = traffic stays within AWS network → reduces exposure.
7. Summary Table
| Feature | Public Endpoint | Private Endpoint (VPC) |
|---|---|---|
| Traffic goes over internet? | Yes | No |
| Types | Default for AWS services | Interface / Gateway |
| Security | IAM, HTTPS | IAM, Endpoint Policy, no internet exposure |
| Examples | EC2 accessing S3 via public URL | EC2 in private subnet accessing S3 via gateway endpoint |
✅ Key Takeaway:
For the exam, always remember that VPC endpoints are used to securely connect your workloads to AWS services without going through the public internet, which is a best practice for secure AWS architecture.
