Design and Implementation of VPC Endpoints in AWS Systems Manager: Structural Differences Between Interface and Gateway Types

Wed, 27 May 2026 10:40:20 +0900

AWS VPC Endpoint Design and Implementation: Structural Understanding of Secure Private Connections

meta_description: Detailed explanation of the operating principles of Interface and Gateway VPC endpoints, security design for SSM operations, and CLI verification processes from a system architect’s perspective.

1. Basic Concepts and Design Philosophy of VPC Endpoints

AWS VPC endpoints are a network feature that enables resources within an Amazon Virtual Private Cloud (VPC) to connect privately to supported AWS services and VPC endpoint services without going through the public internet. With this architecture, traffic between the VPC and the service remains within the Amazon network, improving security and performance.

Typically, resources such as EC2 instances, ECS tasks, and Lambda functions deployed in private subnets use VPC endpoints to access services like AWS Systems Manager (SSM), Amazon S3, Amazon CloudWatch Logs, and Amazon ECR.

Traffic Flow Logic

Private Subnet Resource → AWS Service API Call → VPC Endpoint → AWS Service

There are four components that must be accurately distinguished during implementation:

VPC Endpoint: The private connection feature itself.
VPC Endpoint Service Name: The specific AWS service identifier selected during creation (e.g., com.amazonaws.ap-northeast-2.ssm).
Prefix List: A managed object containing a group of IP address ranges (CIDR blocks).
Endpoint Type: The underlying connection method (Interface type or Gateway type).

2. Comparative Analysis of Network Components

VPC endpoints differ in purpose from other network features such as Transit Gateway, NAT Gateway, and EC2 Instance Connect. The primary differences are as follows:

Category	Purpose	Representative Flow	Key Decision Criteria
VPC Endpoint	Private access to AWS services from internal resources	EC2 → VPCE → AWS Service	Used for accessing AWS services
Transit Gateway	Routing hub between VPCs, VPNs, and Direct Connect	VPC ↔ TGW ↔ VPC/On-premises	Used for inter-network connectivity
NAT Gateway	Outbound internet transmission from private resources	EC2 → NAT → Internet	Used for external transmission to the internet
EIC Endpoint	SSH/RDP access to EC2 without public IPs	User → EIC Endpoint → EC2	Used as an access path to EC2

3. Strict Identification of Service Names and Prefix Lists

3-1. VPC Endpoint Service Name Format

The service name is an identifier used to specify the AWS service to which the endpoint connects. For the Seoul region (ap-northeast-2), the standard format is com.amazonaws.<region>.<service-code>.

com.amazonaws.ap-northeast-2.ssm (SSM API)
com.amazonaws.ap-northeast-2.ssmmessages (Session Manager data channel)
com.amazonaws.ap-northeast-2.ec2messages (SSM Agent messaging)

3-2. Prefix Lists

Prefix lists are sets of CIDR blocks managed by IDs in the format pl-xxxxxxxx. AWS-managed prefix lists can be referenced in security groups and route tables, but prefix lists do not exist for all VPC endpoint services. They primarily play an important role in Gateway-type endpoints such as S3 and DynamoDB.

4. Structural Logic by Endpoint Type

4-1. Interface Endpoints (AWS PrivateLink)

Interface endpoints utilize AWS PrivateLink. Upon creation, an Endpoint ENI (Elastic Network Interface) is generated within the specified subnet.

Logic: EC2 → TCP 443 → Endpoint ENI → AWS PrivateLink → AWS Service.
Security: A security group must be attached to the Endpoint ENI to control inbound traffic.

4-2. Gateway Endpoints

Gateway endpoints do not use ENIs or security groups. Instead, they function by directly modifying route tables.

Mechanism: A route is added to the route table with the destination set to an AWS-managed prefix list (e.g., S3) and the target set to the VPC endpoint ID (vpce-xxxxxxxx).
Logic: EC2 → Route Table (Dest: S3 Prefix List, Target: VPCE) → S3/DynamoDB.

5. Security Design of Interface Endpoints in SSM Operations

Since services such as SSM, Logs, and Monitoring use the Interface type, security group configuration is essential.

Security Group Standard Settings

Inbound Rules: Allow TCP 443 from the source (EC2 instance security group or internal CIDR).
Outbound Rules: Usually allow “All Traffic,” but can be restricted according to organizational policy.

⚠️ Note: Private DNS must be enabled. This ensures that service URLs resolve to the private IP addresses of the Endpoint ENIs.

6. Infrastructure State Verification Procedures via CLI

To confirm that the configuration is correct, perform verification using the following steps:

Step 1: Identify VPC Endpoints

aws ec2 describe-vpc-endpoints --filters Name=vpc-id,Values=vpc-xxxxxxxx --query 'VpcEndpoints[*].{ID:VpcEndpointId,Service:ServiceName,Type:VpcEndpointType}'

Step 2: Confirm Security Group Rules

aws ec2 describe-security-group-rules --filters Name=group-id,Values=sg-xxxxxxxx

Step 3: Confirm DNS Resolution

nslookup ssm.ap-northeast-2.amazonaws.com

💡 If Private DNS is correctly configured, the result will return the private IP addresses of the Interface endpoint ENIs.

7. Operational Notes

Interface Type: Ensure that the ENI, security group, and Private DNS are all correctly in place.
Gateway Type: Ensure that an entry exists in the route table with the prefix list as the destination.
SSM Requirements: To make SSM fully functional, all three endpoints—ssm, ssmmessages, and ec2messages—are required. If any are missing, Session Manager connection failures or agent offline states will occur.

Vpc-Endpoint on K-Life Hack | Seoul Gastronomy & Travel Guide