2022-10-05

VPC Endpoint vs. NAT Gateway

VPC Endpoint and NAT Gateway in AWS

AWS provides a wide range of services, each with its own API URL. These APIs can be invoked to utilize the respective services.

Connecting to AWS Service Endpoints from a Private Subnet

In order to connect to an AWS service endpoint from a private subnet, one can either use a NAT Gateway or a VPC Endpoint. For basic internet access, a NAT Gateway would suffice. However, there may be scenarios where direct communication with VPC internal services, without routing through the internet, is desired.

Connecting with VPC Endpoint

VPC Endpoint enables private connections between VPC and other AWS services. In other words, it allows direct communication without going through the internet. By accessing through the endpoint instead of NAT Gateway, it enables more secure and cost-effective communication.

Types of VPC Endpoints

Gateway Endpoint

A Gateway Endpoint allows secure access to services outside of the VPC from a private subnet, without the need for a NAT Gateway. The services that can be accessed via a Gateway Endpoint are limited to S3 and DynamoDB. Creating a Gateway Endpoint requires the ID of the consumer VPC and a routing configuration to the endpoint in the route table.

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html

Interface Endpoint

An Interface Endpoint is a feature that allows you to access services outside the VPC (within the AWS network) without going through an internet gateway or a NAT Gateway. It can be used with a variety of services, including ECR, KMS, API Gateway, and others.

Gateway Load Balancer Endpoint

This type of VPC Endpoint is used to connect a VPC to a Gateway Load Balancer, which can distribute traffic to multiple virtual appliances.

Distinguishing Between the Use of VPC Endpoint and NAT Gateway

API Gateway

The decision to use a NAT Gateway or a VPC Endpoint can often depend on specific service requirements, such as in the case of the AWS API Gateway.

Accessing Public REST API Gateway via NAT Gateway

When a REST API Gateway is set up for public access, it can be accessed via a NAT Gateway. The communication path follows from the VPC to the REST API Gateway.

Creating Private Access to REST API Gateway via VPC Endpoint

In situations where you want to set up a REST API Gateway for private access and establish communication with a VPC, you'll need to create a dedicated VPC Endpoint.

Potential Issues and Solutions for API Gateway Access

However, creating this VPC Endpoint can by default disrupt communication with publicly accessible REST API Gateways via the NAT Gateway. If you intend to use a publicly accessible REST API Gateway in conjunction with the private one, a workaround is to set up a custom domain for the public API Gateway. This way, it can communicate via the NAT Gateway, avoiding potential communication issues.

References

https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

Ryusei Kakujo

researchgatelinkedingithub

Focusing on data science for mobility

Bench Press 100kg!