Private Connectivity and Service Access

Explore how to enable private connectivity to AWS services using VPC gateway endpoints, interface endpoints, and AWS PrivateLink. Understand the differences, security controls like endpoint policies and SCPs, and architectural patterns such as centralized versus distributed endpoints. This lesson helps you design scalable, secure, and cost-effective private access across multi-account AWS environments.

We'll cover the following...

Gateway vs. interface endpoints
- How gateway endpoints work
- How interface endpoints work
  - Cost and availability trade-offs
Exposing services with AWS PrivateLink
- The provider-consumer model
Endpoint policies and layered security
- Real-world multi-account scenario
  - Private DNS resolution behavior
Architecture patterns for private access
Summary

Enterprise workloads rarely stay inside a single VPC. A modern AWS environment often spans multiple accounts, many subnets, and a wide range of AWS services, from Amazon S3 for data lakes and DynamoDB for application state to AWS STS for cross-account access, CloudWatch for observability, and Secrets Manager for secure credential retrieval. At the same time, internal services often need to be shared with consumers in other accounts without opening broad network access.

The easy but risky approach is to attach an internet gateway, route traffic through a NAT gateway, or create broad VPC peering connections. These choices may work, but they can also introduce unnecessary public internet exposure, increase data transfer costs, and expand the blast radius of a misconfiguration.

The architectural challenge is more precise: How do you give workloads private, least-privilege access to AWS services and internal applications at scale while ensuring traffic never traverses the public internet?

This lesson answers that question through three key building blocks: VPC gateway endpoints, VPC interface endpoints powered by AWS PrivateLink, and customer-managed PrivateLink services backed by Network Load Balancers. Well also learn how endpoint policies work with IAM policies, resource policies, and service control policies to create defense in depth across multi-account AWS architectures.

The following diagram illustrates how these three connectivity paths coexist within a multi-account environment, each eliminating the need for an internet gateway or NAT gateway.

Gateway vs. interface endpoints

Choosing the right VPC endpoint type is an important architecture decision because each option solves a different connectivity problem. Both gateway and interface endpoints keep traffic within the AWS network, but they differ in how they route traffic, which services they support, how they are priced, and the level of control they provide.

How gateway endpoints work

A gateway endpoint is a route table target that uses a managed prefix list to route traffic destined for Amazon S3 or DynamoDB through the AWS private network, without creating an elastic network interface or incurring additional charges. You attach the endpoint to one or more route tables, and the prefix list ensures that requests to S3 or DynamoDB IP ranges are automatically routed through the endpoint instead of a NAT ...