Skip to content

Gateway Endpoint

Application Based Stickyness in ALB in AWS

Gateway Endpoint are the endpoints that helps us to access the Amazon S3 services and Dynamo DB services. We can access these services using gateway Endpoint as well as through Public service endpoint like Internet Gateway.

Gateway VPC endpoints provide reliable connectivity to Amazon S3 and Dynamo DB services without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not use AWS PrivateLink, unlike other types of VPC endpoints.

Overview

You can access Amazon S3 and DynamoDB through their public service endpoints or through gateway endpoints. This overview compares these methods.

Access the Services through Public Endpoint

The following diagram shows how instances access Amazon S3 and DynamoDB through their public service endpoints. Traffic to Amazon S3 or DynamoDB from an instance in a public subnet is routed to the internet gateway for the VPC and then to the service. Instances in a private subnet can’t send traffic to Amazon S3 or DynamoDB, because by definition private subnets do not have routes to an internet gateway. To enable instances in the private subnet to send traffic to Amazon S3 or DynamoDB, you would add a NAT device to the public subnet and route traffic in the private subnet to the NAT device. While traffic to Amazon S3 or DynamoDB traverses the internet gateway, it does not leave the AWS network.


        By default, traffic from your VPC to Amazon S3 or DynamoDB is routed through an internet 
          gateway, but does not leave the AWS network.
Access services through Gateway Endpoint

The following diagram shows how instances access Amazon S3 and DynamoDB through a gateway endpoint. Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service.


        With gateway endpoints, traffic from your VPC to Amazon S3 or DynamoDB is routed to
          the gateway endpoint.

Routing

When you create a gateway endpoint, you select the VPC route tables for the subnets that you enable. The following route is automatically added to each route table that you select. The destination is a prefix list for the service owned by AWS and the target is the gateway endpoint.

DestinationTarget
prefix_list_idgateway_endpoint_id
FIGURE 1

Security

When your instances access Amazon S3 or DynamoDB through a gateway endpoint, they access the service using its public endpoint. The security groups for these instances must allow traffic to and from the service. The following is an example outbound rule.

DestinationProtocolPort Range
prefix_list_idTCP443
FIGURE 2

The network ACLs for the subnets for these instances must also allow traffic to and from the service. The following is an example outbound rule. You can’t reference prefix lists in network ACL rules, but you can get the IP address ranges for the service from its prefix list.

DestinationProtocolPort Range
service_cidr_block_1TCP443
FIGURE 3