Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

VPC Endpoint

A VPC endpoint is a virtual device that allows you to privately connect EC2 instances within your Virtual Private Cloud (VPC) to supported AWS services and VPC endpoint services powered by PrivateLink without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP to communicate with resources in the service, and traffic between your VPC and the other service does not leave the Amazon network.
The cost of using VPC Endpoints depends on the type of endpoint and the amount of data transferred through the endpoint. Basic data transfer costs for VPC Endpoints start at $0.01 per GB and decrease as the amount of data transferred increases.
Direct Cost



Indirect Cost
No items found.
Terraform Name
VPC Endpoint
  • service_name - (Required) The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
  • vpc_id - (Required) The ID of the VPC in which the endpoint will be used.
  • auto_accept - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
  • policy - (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • private_dns_enabled - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
  • dns_options - (Optional) The DNS options for the endpoint. See dns_options below.
  • ip_address_type - (Optional) The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
  • route_table_ids - (Optional) One or more route table IDs. Applicable for endpoints of type Gateway.
  • subnet_ids - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface.
  • security_group_ids - (Optional) The ID of one or more security groups to associate with the network interface. Applicable for endpoints of type Interface. If no security groups are specified, the VPC's default security group is associated with the endpoint.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_endpoint_type - (Optional) The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface. Defaults to Gateway.


  • dns_record_ip_type - (Optional) The DNS records created for the endpoint. Valid values are ipv4, dualstack, service-defined, and ipv6.

Associating resources with a
VPC Endpoint
Resources do not "belong" to a
VPC Endpoint
Rather, one or more Security Groups are associated to a resource.
VPC Endpoint
via Terraform:
The following HCL creates an interface VPC endpoint between VPC and EC2 instance

resource "aws_vpc_endpoint" "ec2" {
 vpc_id            =
 service_name      = ""
 vpc_endpoint_type = "Interface"

 security_group_ids = [,

 private_dns_enabled = true

VPC Endpoint
via CLI:

[--dry-run | --no-dry-run]
[--vpc-endpoint-type <value>]
--vpc-id <value>
--service-name <value>
[--policy-document <value>]
[--route-table-ids <value>]
[--subnet-ids <value>]
[--security-group-ids <value>]
[--ip-address-type <value>]
[--dns-options <value>]
[--client-token <value>]
[--private-dns-enabled | --no-private-dns-enabled]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-vpc-endpoint \
   --vpc-id vpc-1a2b3c4d \
   --vpc-endpoint-type Interface \
   --service-name \
   --subnet-ids subnet-7b16de0c \
   --security-group-id sg-1a2b3c4d \
   --tag-specifications ResourceType=vpc-endpoint,Tags=[{Key=service,Value=S3}]

Best Practices for
VPC Endpoint

Categorized by Availability, Security & Compliance and Cost

Explore all the rules our platform covers
Related blog posts
All Resources