VPC Endpoints

VPC Endpoints - PrivateLink : 
-        https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
-        A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink technology without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
-        Endpoints are virtual devices, created on VPC level. Select:

                      - the service you want to connect to

                      - VPC name

                      - route tables that need access to the gateway

-        Endpoints are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. 
-        Endpoints are REGIONAL – can’t be accessed across multiple regions. 

Endpoint Types: 
-        There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.
Interface Endpoints: 
-        https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html

-        An extensive list of AWS services is available (see link above)

-        Enables you to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and Partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace Partner services. The owner of the service is the service provider, and you, as the principal creating the interface endpoint, are the service consumer

Gateway Endpoints: 
-        https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html

-        Amazon S3 and DynamoDB

-        Can be configured who can access what service via it

-        Supported in same region only

-        Does not require security group

Endpoint Services:  
-        Services use PrivateLink technology to make services in your VPC available to other AWS accounts and services. As is in – expose your service to be the target of an endpoint
-        Other accounts and services can create an interface endpoint to access your endpoint service
-         An Endpoint enables a connection from a private Subnet to an AWS service via internal AWS infra without need to go out to public internet

-        ENI (Elastic N/w interfaces) with a private IP address that serves as entry point for a supported service
-        AWS creates one ENI pers subnet

-        Service available via this ENI:
                      - Majority of AWS services supported 

                      - Services hosted by AWS customers in their own VPC
                      - Supported AWS Market place

-        Initiation of connection needs to start at VPC – going out into services

Enabling VPC Endpoints:
-        When creating and endpoint, public DNS name are available for each service. Use this setting to is enable the Endpoint to access AWS Services' private IP's in the background – rather than go out to the internet and use each service’s public DNS name:
-        Associates a private hosted zone with the VPC that contains a record set that enables you to leverage Amazon’s private network connectivity to the service while making requests to the service’s default public endpoint DNS name. To use this feature, ensure that the attributes ‘Enable DNS hostnames’ and ‘Enable DNS support’ are enabled for your VPC.