VPC Endpoint

Amazon Web Services
A VPC endpoint is a virtual device that allows you to privately connect EC2 instances within your Virtual Private Cloud (VPC) to supported AWS services and VPC endpoint services powered by PrivateLink without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP to communicate with resources in the service, and traffic between your VPC and the other service does not leave the Amazon network.
Terraform Name
VPC Endpoint
  • service_name - (Required) The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
  • vpc_id - (Required) The ID of the VPC in which the endpoint will be used.
  • auto_accept - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
  • policy - (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • private_dns_enabled - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
  • dns_options - (Optional) The DNS options for the endpoint. See dns_options below.
  • ip_address_type - (Optional) The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
  • route_table_ids - (Optional) One or more route table IDs. Applicable for endpoints of type Gateway.
  • subnet_ids - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface.
  • security_group_ids - (Optional) The ID of one or more security groups to associate with the network interface. Applicable for endpoints of type Interface. If no security groups are specified, the VPC's default security group is associated with the endpoint.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_endpoint_type - (Optional) The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface. Defaults to Gateway.


  • dns_record_ip_type - (Optional) The DNS records created for the endpoint. Valid values are ipv4, dualstack, service-defined, and ipv6.

Associating resources with a
VPC Endpoint
Resources do not "belong" to a
VPC Endpoint
Rather, one or more Security Groups are associated to a resource.
VPC Endpoint
via Terraform:
The following HCL creates an interface VPC endpoint between VPC and EC2 instance

resource "aws_vpc_endpoint" "ec2" {
 vpc_id            =
 service_name      = ""
 vpc_endpoint_type = "Interface"

 security_group_ids = [,

 private_dns_enabled = true

VPC Endpoint
via CLI:

[--dry-run | --no-dry-run]
[--vpc-endpoint-type <value>]
--vpc-id <value>
--service-name <value>
[--policy-document <value>]
[--route-table-ids <value>]
[--subnet-ids <value>]
[--security-group-ids <value>]
[--ip-address-type <value>]
[--dns-options <value>]
[--client-token <value>]
[--private-dns-enabled | --no-private-dns-enabled]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-vpc-endpoint \
   --vpc-id vpc-1a2b3c4d \
   --vpc-endpoint-type Interface \
   --service-name \
   --subnet-ids subnet-7b16de0c \
   --security-group-id sg-1a2b3c4d \
   --tag-specifications ResourceType=vpc-endpoint,Tags=[{Key=service,Value=S3}]

aws cost
The cost of using VPC Endpoints depends on the type of endpoint and the amount of data transferred through the endpoint. Basic data transfer costs for VPC Endpoints start at $0.01 per GB and decrease as the amount of data transferred increases.
Direct Cost



Indirect Cost
No items found.
Best Practices for
VPC Endpoint

Categorized by Availability, Security & Compliance and Cost

Access allowed from VPN
No items found.
Auto Scaling Group not in use
No items found.
Connections towards DynamoDB should be via VPC endpoints
No items found.
Container in CrashLoopBackOff state
No items found.
EC2 with GPU capabilities
No items found.
EC2 with high privileged policies
No items found.
ECS cluster delete alarm
No items found.
ECS task with Admin access (*:*)
ECS task with high privileged policies
No items found.
EKS cluster delete alarm
No items found.
ElastiCache cluster delete alarm
No items found.
Ensure Container liveness probe is configured
No items found.
Ensure ECS task definition has memory limit
No items found.
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Amazon Web Services