76. VPC End Points

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink w/o requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in VPC do not require public IP addresses to communicate with resources in the service. Traffic between VPC and other service doesnt leave the Amazon n/w.
Endpoints are virtual devices. They are horizontally scaled, redundant and highly available VPC components that allow communication between instances in your VPC and services w/o imposing availability risks or bandwidth constraints on n/w traffic.

There are two types of VPC endpoints:
i. Interface Endpoints – An interface endpoint is an elastic n/w interface with a private IP address that serves as an entry point for traffic destined to a supported service.
ii. Gateway Endpoints

Question 1:
A company wishes to restrict access to their Amazon DynamoDB table to specific, private source IP addresses from their VPC. What should be done to secure access to the table?
Options:
A. Create the Amazon DynamoDB table in the VPC
B. Create a gateway VPC endpoint and add an entry to the route table
C. Create an interface VPC endpoint in the VPC with an Elastic Network Interface (ENI)
D. Create an AWS VPN connection to the Amazon DynamoDB endpoint
Answer: B
Explanation
There are two different types of VPC endpoint: interface endpoint, and gateway endpoint. With an interface endpoint you use an ENI in the VPC. With a gateway endpoint you configure your route table to point to the endpoint. Amazon S3 and DynamoDB use gateway endpoints. This solution means that all traffic will go through the VPC endpoint straight to DynamoDB using private IP addresses.
CORRECT: “Create a gateway VPC endpoint and add an entry to the route table” is the correct answer.
INCORRECT: “Create an interface VPC endpoint in the VPC with an Elastic Network Interface (ENI)” is incorrect. As mentioned above, an interface endpoint is not used for DynamoDB, you must use a gateway endpoint.
INCORRECT: “Create the Amazon DynamoDB table in the VPC” is incorrect. You cannot create a DynamoDB table in a VPC, to connect securely using private addresses you should use a gateway endpoint instead.
INCORRECT: “Create an AWS VPN connection to the Amazon DynamoDB endpoint” is incorrect. You cannot create an AWS VPN connection to the Amazon DynamoDB endpoint.