Ensure that Amazon Virtual Private Cloud (VPC) endpoints are being used to allow you to securely connect your VPC to other AWS services and VPC endpoint services without the need of an Internet Gateway (IGW), NAT device, VPN connection or an AWS Direct Connect connection. A VPC endpoint is a virtual device which is horizontally scaled, redundant and highly available, that provides communication between EC2 instances within your Virtual Private Cloud and other supported AWS services without introducing availability risks or bandwidth constraints on your network traffic. The EC2 instances available in your VPC do not require public IP addresses and the traffic between these resources and the supported AWS services does not leave the Amazon Web Services network. There are two types of VPC endpoints that you can use based on the AWS service supported – interface endpoints and gateway endpoints:
VPC endpoints enables you to privately access specific AWS services from your own Amazon Virtual Private Cloud (VPC), without using public IP addresses and without requiring the traffic data to travel across the Internet. Note: VPC endpoints are only supported within the same AWS region. You cannot use endpoints to connect an AWS service from one region to a VPC in a different region.
To determine if any VPC endpoints are being used within your AWS account, perform the following actions:
A VPC endpoint enables you to connect with particular AWS services that are outside your VPC network through a private link. To deploy and configure a VPC endpoint within your AWS account, perform the following actions:Note: As example, this conformity rule demonstrates how to create an interface VPC endpoint between a Virtual Private Cloud and the Elastic Load Balancing (ELB) service within the US East region. An interface endpoint is an Elastic Network Interface (ENI) that serves as an endpoint for communicating with a specified AWS service (in this case Amazon ELB). You can specify the subnet in which to create the endpoint and the security group(s) to associate with the endpoint network interface.