VPC Endpoints
AWS PrivateLink
AWS PrivateLink is a highly available, scalable technology that you can use to privately connect your VPC to services as if they were in your VPC. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the service from your private subnets. [1]
With PrivateLink you can create your endpoint service to make it available to your customers.
(Image Credit: AWS Gateway Endpoints [3] )
In the diagram, VPC has 3 endpoints connecting to 3 PrivateLink services.
The topmost endpoint connects to AWS Services
The middle one connects to a service exposed by a VPC in another account
The bottom one connects to a 3rd party service exposed on the AWS Marketplace partner service
Gateway VPC Endpoints
Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC [1].
Gateway endpoint does not use PrivateLink, unlike other types of endpoints.
Comparing VPC Endpoints with the traditional approach
If a private subnet needs to access data on S3 or DynamoDB, it will have to go through the NAT gateway, then to Internet Gateway and finally to S3
But with VPC Endpoints private subnet can directly connect to VPC Endpoints and get data from S3.
(Image Credit: AWS Gateway Endpoints [1] )
Another advantage of using VPC Endpoints is that it can also define a policy on what actions VPC endpoint can do against the service/s3.
(Image Credit: AWS Gateway Endpoints [1] )
Interface VPC Endpoints
Interface VPC endpoints are used to connect to services powered by AWS PrivateLink. For each subnet that you specify from your VPC, AWS creates an endpoint network interface in the subnet and assigns it a private IP address from the subnet address range.
(Image Credit: AWS Gateway Endpoints [1] )
An endpoint network interface is a requester-managed network interface, one can view in their AWS account, but can't manage it themselves.