PrivateLink 2 Flashcards
Gateway Endpoints
What is a Gateway Endpoint?
Provide private access to S3 or Dynamo DB
Gateway Endpoints
What happens when you create a GW Endpoint?
Prefix list added to route table
Gateway Endpoints
Which services support both Interface Endpoints and Gateway Endpoints?
Only S3 (not Dynamo)
Gateway Endpoints
Can you use Security Groups or NACLs to control access to a Gateway Endpoint?
Nope, it’s not an ENI and doesn’t live IN a Subnet (it’s just routing rules).
Gateway Endpoints
What does this addition to the route table look like?
Prefix list is CIDRs as a destination, target is the GW Endpoint
Gateway Endpoints
Are GW endpoints regional, zonal, or global?
Regional within a VPC (only one per VPC)
Gateway Endpoints
If GW endpoints aren’t per-Subnet, how does routing work (which is per-subnet)?
Associate a GW Endpoint to Subnets. Each Subnet’s route table gets routes.
Gateway Endpoints
Is a GW Endpoint HA?
Yes, HA across all AZs in a region by default
Gateway Endpoints
What other VPC things is a GW Endpoint similar to?
IGW, VPG. It’s a thing on the VPC border that you can route things to
Gateway Endpoints
How do you control access to a GW Endpoint?
Endpoint Policy
Gateway Endpoints
Example of something you can control access to with a GW Endpoint?
Restrict an S3 Endpoint to only connect to certain S3 buckets.
Gateway Endpoints
Can a GW Endpoint connect to a resource in a different region?
No
Gateway Endpoints
Security Design Pattern for S3 Gateway Endpoints?
Prevent Leaky Buckets: bucket policy only allow from Gateway Endpoint
Endpoint Policies
What is the TL;DR for Endpoint Policies?
Policy (action/effect/resource/principal) for what the Endpoint can access
Endpoint Policies
What can an Endpoint Policy grant access to?
Nothing! It’s like an SCP: it sets the bounds for what can be accessed through it.