Comment by otterley 5 days ago
Gateway endpoints are free. Network endpoints (which are basically AWS-managed ENIs that can tunnel through VPC boundaries) are not free.
S3 can use either, and we recommend establishing VPC Gateway endpoints by default whenever you need S3 access.
(Disclaimer: I work for AWS, opinions are my own.)
> I recommend S3 Gateways for all VPCs that need to access S3, even those that already have routes to the Internet.
Fascinating. What's the advantage of doing that?
It's a much more direct/efficient connection from the EC2 instance to the S3 storage servers through the virtual network layer. It reduces the network path/length through the AWS network _and_ removes the number of virtual network functions/servers (ala "LB") that your connections will traverse.
That's helpful to know, thank you! I'll take a look at that and see if it improves S3 performance.
> everything seems to steer people towards PrivateLink, not gateway endpoints
Gateway endpoints only work for some things.
Privatelink endpoints can be of type gateway or interface. Only gateway is free and only S3 and dynamodb supports it.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-e...
~~I get the impression there are several others, too, but that one is of especial interest to me~~ Wowzers, they really are much better now:
aws --region us-east-1 ec2 describe-vpc-endpoint-services | jq '.ServiceNames|length'
459
Both interface endpoints and gateway endpoints are also called VPC endpoints. The former get distinct IP addresses in your VPC subnets while the latter get distinct entries in your VPC routing tables. They are even created with the same API call: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_C...
That's fascinating! I hadn't found that in the documentation; everything seems to steer people towards PrivateLink, not gateway endpoints.
Would you recommend using VPC Gateway even on a public VPC that has an Internet gateway (note: not a NAT gateway)? Or only on a private VPC or one with a NAT gateway?