Listen to this Post
AWS VPC endpoints allow your cloud applications to interact with AWS services without requiring internet access or costly NAT gateways. By leveraging VPC endpoints, Lambda functions and other resources can securely communicate with services like DynamoDB, SNS, and Secrets Manager while remaining within the AWS network.
This article demonstrates how to set up VPC endpoints using AWS Cloud Development Kit (CDK) for Infrastructure as Code (IaC).
🔗 Reference: AWS VPC Endpoints Guide
You Should Know:
1. Setting Up VPC Endpoints with AWS CDK
To create a VPC endpoint for DynamoDB using AWS CDK (TypeScript):
import as cdk from 'aws-cdk-lib';
import as ec2 from 'aws-cdk-lib/aws-ec2';
export class VpcEndpointStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new ec2.Vpc(this, 'MyVpc');
// Create a DynamoDB Gateway Endpoint
vpc.addGatewayEndpoint('DynamoDbEndpoint', {
service: ec2.GatewayVpcEndpointAwsService.DYNAMODB,
});
// Create an SNS Interface Endpoint
vpc.addInterfaceEndpoint('SnsEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.SNS,
});
// Create a Secrets Manager Interface Endpoint
vpc.addInterfaceEndpoint('SecretsManagerEndpoint', {
service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
});
}
}
2. Deploying the Stack
Run the following AWS CLI commands:
Install AWS CDK (if not already installed) npm install -g aws-cdk Bootstrap the CDK environment (first-time setup) cdk bootstrap aws://ACCOUNT-NUMBER/REGION Deploy the stack cdk deploy
3. Verifying VPC Endpoints
Check if the endpoints are active:
aws ec2 describe-vpc-endpoints
4. Testing Lambda Connectivity
Deploy a Lambda function inside the VPC and verify access to DynamoDB without internet:
import boto3
def lambda_handler(event, context):
dynamodb = boto3.client('dynamodb')
response = dynamodb.list_tables()
return {
'statusCode': 200,
'body': response
}
5. Security Best Practices
- Restrict VPC endpoint policies to least privilege.
- Use security groups to control traffic to interface endpoints.
- Monitor endpoint traffic using AWS CloudTrail.
What Undercode Say
VPC endpoints are essential for building secure, private cloud architectures. By eliminating NAT gateways, you reduce costs and latency while improving security.
Key Linux & AWS Commands for Further Exploration:
Check VPC endpoint connections aws ec2 describe-vpc-endpoint-connections Modify VPC endpoint policies aws ec2 modify-vpc-endpoint --vpc-endpoint-id vpce-123abc --policy-document file://policy.json Network troubleshooting (Linux) ping <PrivateLink DNS> curl -v https://secretsmanager.us-east-1.amazonaws.com nc -zv <ENDPOINT_DNS> 443 traceroute <ENDPOINT_IP>
Expected Output:
A fully private AWS environment where Lambda, EC2, and other services securely access DynamoDB, SNS, and Secrets Manager without internet exposure.
Prediction
As hybrid cloud adoption grows, AWS will expand VPC endpoint support for more services, reducing reliance on public internet for cloud operations. Zero Trust architectures will increasingly depend on private service endpoints.
IT/Security Reporter URL:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
