🐾Gateway vs Interface Endpoints 🐾
🤓When designing AWS workloads, sometimes you need a secure way to connect to AWS services without traversing the public internet. Gateway and Interface endpoints are the solution, but do you know which one to choose in your use case?
The Core Differences
Gateway Endpoints:
Only available for S3 and DynamoDB
Implemented as route table entries pointing to specific AWS services
Free of charge
Support resource-based policies for access control
Interface Endpoints:
Available for most AWS services
Implemented as ENI with private IPs and service-specific DNS entry
Incurs charges for both the interface endpoint itself and data processing
Support both security groups and resource-based policies
When to choose Gateway endpoints
If you use S3 or DynamoDB from your VPC resources, Gateway endpoints should be your default choice. They're completely free and provide a double benefit: they reduce costs by bypassing NAT Gateway data processing charges while enhancing security by keeping traffic entirely within AWS's network. This makes Gateway endpoints a rare win-win optimization with no drawbacks for standard workloads.
When to choose Interface endpoints
Interface endpoints are required in the following cases:
Regulatory compliance: When data must never traverse the public internet
Hybrid cloud architectures: Connecting on-premises systems to AWS services
Security: Additional layer of access control with security groups
Network isolation: For workloads which should not have internet access
When regulatory compliance requires strict control over network paths
When Interface Endpoints Make Sense for S3 and DynamoDB
Despite Gateway endpoints being free, there are legitimate reasons to use Interface endpoints for S3 and DynamoDB:
On-premises access: When you need to access resources from outside AWS via Direct Connect or VPN
Cross-region access: For accessing resources in different regions
Firewall control: When you need to apply security group rules to the endpoint
These use cases justify the additional cost of Interface endpoints.
Thank you for reading, let’s chat 💬
💬 Have you heard about Resource VPC endpoints?
💬 Do you use any custom services to replace Interface endpoints?
💬 Which topics would you like me to cover in the next post?
I love hearing from readers 🫶🏻 Please feel free to drop comments, questions, and opinions below👇🏻
