Securing Data Transfer with VPC Endpoints (AWS PrivateLink)

When applications running in a private VPC subnet need to access AWS services like S3 or DynamoDB, the default behavior often involves routing traffic out through a NAT Gateway and over the public internet. This approach increases latency, inflates data transfer costs, and exposes traffic to potential interception.

AWS PrivateLink solves this by utilizing VPC Endpoints. A VPC Endpoint provides a private connection between your VPC and supported AWS services, keeping all traffic entirely within the AWS global network. This satisfies stringent compliance requirements and drastically reduces outbound NAT Gateway costs.

There are two types of endpoints: Gateway Endpoints (free, used for S3 and DynamoDB) and Interface Endpoints (hourly cost, used for services like SNS, Kinesis, or EC2 API). Below is the Terraform configuration to create a Gateway Endpoint for S3, ensuring secure, private access for your internal workloads.

resource "aws_vpc_endpoint" "s3" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.s3"
  
  # Gateway endpoints use route tables, not security groups
  vpc_endpoint_type = "Gateway"
  
  route_table_ids = [
    aws_route_table.private_app.id,
    aws_route_table.private_db.id
  ]
}