VPC endpoint | Notion

The Problem it Solves

When a private EC2 needs to talk to an AWS service like S3, the normal path looks like this:

Private EC2 → NAT Gateway → Internet → S3

This means your traffic is going out to the public internet just to reach another AWS service. That's slow, costs money (NAT Gateway charges), and is less secure.

VPC Endpoint gives you a direct private path:

Private EC2 → VPC Endpoint → S3

Traffic never leaves AWS's private network. No NAT Gateway, no Internet Gateway, no internet.

Why Use It?

	Without Endpoint	With Endpoint
Path	Through internet	Private AWS network
Cost	NAT Gateway charges	Free (Gateway) or cheap (Interface)
Security	Traffic on public internet	Traffic stays inside AWS
Speed	Slower	Faster

Two Types of Endpoints

Think of them as two different private doors to reach AWS services.

1. Gateway Endpoint — The Free Door

A Gateway Endpoint works by adding a special route in your route table that points directly to S3 or DynamoDB.

Private EC2 → Route Table → Gateway Endpoint → S3 or DynamoDB

Key facts:

Only works for S3 and DynamoDB (just these two, nothing else)
Completely free
No Security Group needed
AWS automatically adds the route to your route table when you create it

Think of it like AWS adding a private shortcut sign in your route table that says "To reach S3 — go this way, not through the internet."