Endpoints to access AWS services from VPC

Especially for security reasons, most production applications run inside a VPC.

But now let’s image such an application that calls S3 or another AWS service. In this case, the call leaves the AWS network and reaches the public Internet, returning back to the AWS service endpoint.

Nowadays, VPC supports a very nice feature: you can create an endpoint and then route all traffic to a particular service through that endpoint.

If it sounds complicated, believe us it’s not.

First, we have to check if the service we want to use is supported to create this kind of shortcut:

aws-vault exec cirrusup-prod -- aws ec2 describe-vpc-endpoint-services --region eu-west-1 | grep ServiceName

Then, if the service is supported, we can create the endpoint:

aws-vault exec cirrusup-prod -- aws ec2 create-vpc-endpoint --vpc-id vpc-12abc34d --service-name com.amazonaws.eu-west-1.dynamodb --route-table-ids rtb-7351160a

If you are not familiar with aws-vault, check this post. CLIs are not the single option to enable this feature, another option being the AWS console: just go to the VPC console and you’ll find there the Endpoints section.

In the end, it’s important to mention that this feature comes with no additional costs. In you need more info, add a question below!