VPC endpoints and PrivateLink

There are certain situations where we require services in private subnets with no access to the internet to be able to connect to an AWS service such as S3, SQS, KMS, and DynamoDB. We could also put instances in a public subnet, but with a requirement that no data within the application is passed over the public IP space. In both of these cases, we can implement a VPC endpoint to connect a service to the VPC and allow for communication to the service within a private IP space. VPC endpoint connections come in two different types:

• Gateway endpoints
• Interface endpoints