Welcome to Week 12 of the AWS Cloud Path series! In this continuation of our AWS networking journey, we dive deep into VPC endpoints, EC2 instance deployment, and connectivity testing. This hands-on workshop builds upon the foundational networking concepts we established in Part 1.
Missed the session? Catch up here:
Prerequisites
Before diving in, ensure you have:
- An active AWS account
- Basic understanding of VPC concepts (covered in Part 1)
- Familiarity with EC2 instances
- AWS CLI configured (optional but helpful)
- Budget awareness: This workshop costs approximately $7 in US-East-1
⚠️ Cost Alert: Different AWS regions have varying pricing. The $7 estimate applies to US-East-1 (Ohio). Always check your region's pricing before proceeding.
Workshop Architecture Overview
We're building upon our existing VPC infrastructure that includes:
- VPC with public and private subnets across two availability zones
- Internet Gateway and NAT Gateway
- Route tables and Network ACLs
- Security groups
Today we're adding:
- VPC Endpoints: Gateway endpoint for S3 and interface endpoint for AWS KMS
- EC2 Instances: One in public subnet, one in private subnet
- Connectivity Testing: Verifying our network configuration
Understanding VPC Endpoints
VPC endpoints provide private connectivity from your AWS environment to AWS services without traversing the public internet. This is crucial for:
- Security: Traffic stays within AWS infrastructure
- Cost Optimization: Avoiding data transfer charges for external traffic
- Performance: Reduced latency for AWS service calls
Types of VPC Endpoints
There are two types of VPC endpoints:
- Gateway Endpoints: Only available for S3 and DynamoDB
- Interface Endpoints: Available for all other AWS services
This distinction is important for AWS certification exams and architectural decisions.
Creating VPC Endpoints
Interface Endpoint for AWS KMS
AWS Key Management Service (KMS) manages encryption keys in your AWS environment. To create a private connection to KMS:
- Navigate to VPC Console → Endpoints
- Click "Create endpoint"
- Configure the endpoint:
Name: VPC-A-KMS-endpoint
Service category: AWS services
Service: com.amazonaws.<region>.kms
VPC: Select your VPC-A
Route tables: Select all route tables
Subnets: Choose your private subnets
Security groups: Use default for full access
Policy: Full access
Key Configuration Notes:
- Interface endpoints create elastic network interfaces (ENIs) with IP addresses
- You can specify custom IP addresses or let AWS auto-assign
- Full access policy allows all resources in your VPC to use the endpoint
- The endpoint will be in "pending" state initially
Gateway Endpoint for Amazon S3
S3 gateway endpoints are simpler to configure:
- Create endpoint with these settings:
Name: VPC-A-S3-endpoint
Service: com.amazonaws.<region>.s3
Type: Gateway
VPC: Select your VPC-A
Route tables: Select all route tables
Policy: Full access
Gateway vs Interface Differences:
- Gateway endpoints don't require subnet or security group configuration
- They work by adding routes to your route tables
- No ENI creation or IP address assignment needed
Deploying EC2 Instances
Public Subnet Instance
Deploy an EC2 instance for external connectivity testing:
Instance Configuration:
Name: VPC-A-public-ec2-server
AMI: Amazon Linux 2023
Instance Type: t2.micro
Key Pair: Create new or use existing
Network Settings:
VPC: VPC-A
Subnet: public-subnet-AZ2
Auto-assign Public IP: Enable
Primary IP: 10.0.2.10
Security Group:
Name: VPC-A-security-group
Rules:
- SSH (port 22): 0.0.0.0/0
- All ICMP: 0.0.0.0/0
IAM Instance Profile: networking-workshop-instance-profile
Private Subnet Instance
Deploy an instance for internal connectivity testing:
Instance Configuration:
Name: VPC-A-private-AZ1-server
AMI: Amazon Linux 2023
Instance Type: t2.micro
Key Pair: Same as public instance
Network Settings:
VPC: VPC-A
Subnet: private-subnet-AZ1
Auto-assign Public IP: Disable
Primary IP: 10.0.1.10
Security Group: Same as public instance
IAM Instance Profile: networking-workshop-instance-profile
Important Security Notes:
- Private instance has NO public IP address
- Access is only possible through AWS Systems Manager Session Manager
- The IAM instance profile includes SSM permissions for management
Connectivity Testing
Testing Public Instance Connectivity
From your local terminal, test ICMP connectivity:
# Test ping to public instance
ping <public-ip-address>
# Expected: Successful ping responses
# This works because we opened ICMP ports in security groups
Testing Private Instance Internal Connectivity
Access the private instance via Session Manager:
- EC2 Console → Select private instance → Connect → Session Manager
- Once connected, test internal connectivity:
# Test connectivity to public instance (internal communication)
ping 10.0.2.10
# Test external connectivity through NAT Gateway
ping example.com
Why This Works:
- Internal ping succeeds because VPC allows local traffic
- External ping succeeds through NAT Gateway in public subnet
- Private instance is protected from direct internet access
Understanding VPC Endpoint Routing
Interface Endpoint Resolution
Test DNS resolution for KMS endpoint:
# From private instance, check KMS endpoint resolution
dig kms.eu-central-1.amazonaws.com
# Expected output shows local IP addresses within your VPC CIDR
# Example: 10.0.1.x, 10.0.2.x
This demonstrates that:
- DNS queries for KMS resolve to local IP addresses
- Traffic stays within your VPC infrastructure
- No public internet traversal occurs
Gateway Endpoint Routing
Check route table entries:
- Navigate to VPC → Route Tables → Private Route Table
- Look for entries with:
- Destination: Prefix list (e.g., pl-xxxxxx)
- Target: Your VPC S3 endpoint
The prefix list contains IP address ranges for S3 in your region. When traffic matches these destinations, it routes through your gateway endpoint instead of the internet gateway.
Key Learnings and Best Practices
Cost Optimization
- VPC endpoints reduce data transfer costs by keeping traffic within AWS
- Gateway endpoints are free; interface endpoints have hourly charges
- Consider endpoint usage patterns when designing architecture
Security Benefits
- Private connectivity eliminates internet-based attack vectors
- Fine-grained access control through endpoint policies
- Traffic inspection and monitoring capabilities
Architectural Considerations
- One endpoint per service (can't reuse endpoints across services)
- Interface endpoints create ENIs that consume IP addresses
- Gateway endpoints use route table entries (no IP consumption)
Troubleshooting Tips
- Endpoint status must be "Available" before use
- Check security group rules for interface endpoints
- Verify route table associations for gateway endpoints
- DNS resolution should return VPC-local IP addresses
Cleanup Instructions
Important: Don't leave resources running to avoid unnecessary charges!
Follow this cleanup order:
- Terminate EC2 instances
- Delete VPC endpoints (interface and gateway)
- Delete the VPC (removes subnets, route tables, gateways automatically)
- Delete the CloudFormation stack for IAM roles and prerequisites
What's Next?
In our next session, we'll explore:
- Advanced VPC connectivity with Transit Gateway
- VPN configurations for hybrid connectivity
- Network monitoring and troubleshooting tools
- Security group and NACL deep dive
This workshop demonstrates how VPC endpoints provide secure, cost-effective connectivity to AWS services while maintaining network isolation. The combination of proper subnet design, security groups, and endpoint configuration creates a robust networking foundation for your AWS workloads.
Note: The visual demonstrations in the workshop video show real-time AWS Console interactions and terminal commands. While this text representation covers the core concepts and configurations, watching the video provides additional context for navigating the AWS Console and understanding the step-by-step process.
Top comments (0)