Back to Blog
Aws

AWS VPC Gateway Endpoints: The Secure Path to S3 and DynamoDB

Atul Mishra
October 17, 2025

Welcome to the tech corner. In today’s deep dive, we’re breaking down one of AWS’s most important networking components: the VPC Gateway Endpoint. By the end of this post, you’ll understand what it is, why it matters, how to set it up, and how to fix it when things don’t go as planned.

The Problem: Crossing the Public Internet

Imagine you have an EC2 instance running a critical application inside a private subnet of your Virtual Private Cloud (VPC).

This application needs to access Amazon S3 or DynamoDB, which are global AWS services that exist outside your VPC.

By default, your traffic must leave the private subnet through a NAT Gateway or Internet Gateway, reach the public AWS endpoint, and then return.

While this setup works, it introduces several challenges:

  • Security risks: Your traffic briefly passes through the public internet, increasing exposure.
  • Added costs: NAT Gateways incur data processing charges, which grow with traffic volume.
  • Operational complexity: Managing and troubleshooting NAT Gateways adds configuration overhead.

The Solution: VPC Gateway Endpoints

A VPC Gateway Endpoint provides a private, direct connection between your VPC and specific AWS services, currently S3 and DynamoDB.

With this configuration, your requests no longer traverse the public internet. Instead, they remain within the AWS internal network.

Blog post image

Key Benefits

  • Enhanced security: All traffic remains on the AWS network.
  • No additional cost: Gateway Endpoints are free to use, and you avoid NAT Gateway fees.
  • High availability: They are designed to be redundant, scalable, and highly available.

How to Create a Gateway Endpoint

Creating a VPC Gateway Endpoint is a simple process through the AWS Management Console.

  1. Open the VPC Console: In AWS, navigate to VPC and select Endpoints.
  2. Click “Create Endpoint.”
  3. Choose the service: com.amazonaws.<region>.s3 or com.amazonaws.<region>.dynamodb
  4. Select Your VPC: Choose the VPC that contains your EC2 instances or other resources.
  5. Attach Route Tables: Select the route tables associated with subnets that require access. AWS automatically adds a route using a prefix list (for example, pl-xxxxxxxx) that directs service traffic to the endpoint.
  6. Add an Endpoint Policy: Attach a policy that defines which actions are permitted. You can begin with full access and restrict it later.
  7. Review and Create: Confirm your settings and click Create Endpoint. Your private connection is now active.

Troubleshooting Connectivity Issues

Although setup is straightforward, you may encounter issues where your application cannot connect to S3 or DynamoDB.

Use the following checklist to troubleshoot efficiently.

1. Check the Security Group

Ensure your EC2 instance’s security group allows outbound HTTPS (TCP 443) traffic to the service’s prefix list.

2. Check the Subnet’s Route Table

Confirm that the subnet’s route table includes a route for the AWS service (via its prefix list) pointing to the correct endpoint ID.

3. Check the Endpoint Policy

Misconfigured policies are a common cause of access errors.

For testing, you can use a full-access policy such as:

1{
2  "Statement": [{
3    "Effect": "Allow",
4    "Principal": "*",
5    "Action": "*",
6    "Resource": "*"
7  }]
8}

4. Check the Resource Policy (for example, S3 Bucket Policy)

An incorrect resource policy can block access even when the endpoint is correct.

Look for conditions such as aws:sourceVpc or aws:sourceVpce that might be overly restrictive.

5. Check IAM Permissions

Ensure the IAM user or role has the necessary permissions, such as s3:GetObject or dynamodb:Query.

6. Check DNS Settings

Confirm that DNS resolution is enabled in your VPC. Without it, private endpoints cannot resolve correctly.

A Final Gotcha: No Remote Acces

VPC Gateway Endpoints are accessible only from within the VPC where they are created. They cannot be accessed from:

  • On-premises networks connected via VPN or Direct Connect
  • Peered VPCs

If you need cross-VPC or hybrid access, consider using an Interface Endpoint (PrivateLink), which uses an Elastic Network Interface (ENI) with a private IP address.

Wrapping Up

The VPC Gateway Endpoint is a small configuration change that brings significant improvements in security, cost efficiency, and simplicity.

By routing AWS service traffic privately within the AWS network, you eliminate public exposure and unnecessary expenses, all with minimal setup.

For anyone building secure and scalable cloud architectures, Gateway Endpoints should be a standard component of your VPC design.

View All Posts