# Gateway endpoints
Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not use AWS PrivateLink, unlike other types of VPC endpoints.
Amazon S3 and DynamoDB support both gateway endpoints and interface endpoints. For a comparison of the options, see the following:
+ [Types of VPC endpoints for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3)
+ [Types of VPC endpoints for Amazon DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-ddb)
**Pricing**
There is no additional charge for using gateway endpoints.
**Topics**
+ [
## Overview
](#gateway-endpoint-overview)
+ [
## Routing
](#gateway-endpoint-routing)
+ [
## Security
](#gateway-endpoint-security)
+ [
## IP address type
](#gateway-endpoint-ip-address-type)
+ [
## DNS record IP type
](#gateway-endpoint-dns-record-ip-type)
+ [Endpoints for Amazon S3](vpc-endpoints-s3.md)
+ [Endpoints for DynamoDB](vpc-endpoints-ddb.md)
## Overview
You can access Amazon S3 and DynamoDB through their public service endpoints or through gateway endpoints. This overview compares these methods.
**Access through an internet gateway**
The following diagram shows how instances access Amazon S3 and DynamoDB through their public service endpoints. Traffic to Amazon S3 or DynamoDB from an instance in a public subnet is routed to the internet gateway for the VPC and then to the service. Instances in a private subnet can't send traffic to Amazon S3 or DynamoDB, because by definition private subnets do not have routes to an internet gateway. To enable instances in the private subnet to send traffic to Amazon S3 or DynamoDB, you would add a NAT device to the public subnet and route traffic in the private subnet to the NAT device. While traffic to Amazon S3 or DynamoDB traverses the internet gateway, it does not leave the AWS network.
![\[Traffic leaves your VPC through an internet gateway, but stays in the AWS network.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/without-gateway-endpoints.png)
**Access through a gateway endpoint**
The following diagram shows how instances access Amazon S3 and DynamoDB through a gateway endpoint. Traffic from your VPC to Amazon S3 or DynamoDB is routed to the gateway endpoint. Each subnet route table must have a route that sends traffic destined for the service to the gateway endpoint using the prefix list for the service. For more information, see [AWS-managed prefix lists](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) in the *Amazon VPC User Guide*.
![\[Traffic from your VPC is routed to the gateway endpoint.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/gateway-endpoints.png)
## Routing
When you create a gateway endpoint, you select the VPC route tables for the subnets that you enable. The following route is automatically added to each route table that you select. The destination is a prefix list for the service owned by AWS and the target is the gateway endpoint.
| Destination | Target |
| --- | --- |
| prefix\$1list\$1id | gateway\$1endpoint\$1id |
**Considerations**
+ You can review the endpoint routes that we add to your route table, but you cannot modify or delete them. To add an endpoint route to a route table, associate it with the gateway endpoint. We delete the endpoint route when you disassociate the route table from the gateway endpoint or when you delete the gateway endpoint.
+ All instances in the subnets associated with a route table associated with a gateway endpoint automatically use the gateway endpoint to access the service. Instances in subnets that aren't associated with these route tables use the public service endpoint, not the gateway endpoint.
+ A route table can have both an endpoint route to Amazon S3 and an endpoint route to DynamoDB. You can have endpoint routes to the same service (Amazon S3 or DynamoDB) in multiple route tables. You can't have multiple endpoint routes to the same service (Amazon S3 or DynamoDB) in a single route table.
+ We use the most specific route that matches the traffic to determine how to route the traffic (longest prefix match). For route tables with an endpoint route, this means the following:
+ If there is a route that sends all internet traffic (0.0.0.0/0) to an internet gateway, the endpoint route takes precedence for traffic destined for the service (Amazon S3 or DynamoDB) in the current Region. Traffic destined for a different AWS service uses the internet gateway.
+ Traffic that's destined for the service (Amazon S3 or DynamoDB) in a different Region goes to the internet gateway because prefix lists are specific to a Region.
+ If there is a route that specifies the exact IP address range for the service (Amazon S3 or DynamoDB) in the same Region, that route takes precedence over the endpoint route.
## Security
When your instances access Amazon S3 or DynamoDB through a gateway endpoint, they access the service using its public endpoint. The security groups for these instances must allow traffic to and from the service. The following is an example outbound rule. It references the ID of the [prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) for the service.
| Destination | Protocol | Port range |
| --- | --- | --- |
| prefix\$1list\$1id | TCP | 443 |
The network ACLs for the subnets for these instances must also allow traffic to and from the service. The following is an example outbound rule. You can't reference prefix lists in network ACL rules, but you can get the IP address ranges for the service from its prefix list.
| Destination | Protocol | Port range |
| --- | --- | --- |
| service\$1cidr\$1block\$11 | TCP | 443 |
| service\$1cidr\$1block\$12 | TCP | 443 |
| service\$1cidr\$1block\$13 | TCP | 443 |
## IP address type
The IP address type determines which prefix list is associated with your route table.
**Requirements to enable IPv6 for a gateway endpoint**
+ The IP address type of a gateway endpoint must be compatible with the subnets for the gateway endpoint, as described here:
+ **IPv4** – Add the service's IPv4 prefix list to your route table.
+ **IPv6** – Add the service's IPv6 prefix list to your route table. This option is supported only if all selected subnets are IPv6 only subnets.
+ **Dualstack** – Add the service's IPv4 prefix list to your route table and add the service's IPv6 prefix list to your route table. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges.
## DNS record IP type
By default, a gateway endpoint returns DNS records based on the service endpoint you call. If you create your gateway endpoint using the IPv4 service endpoint, such as `s3.us-east-2.amazonaws.com`, Amazon S3 returns A records to your clients, and all subnets in your route table use IPv4.
In contrast, if you create your gateway endpoint using the dualstack service endpoint, such as `s3.dualstack.us-east-2.amazonaws.com`, Amazon S3 returns both A and AAAA records to your clients, and the subnets in your route table use IPv4 and IPv6.
**Note**
For directory buckets, or S3 Express One Zone, the gateway endpoints for the data plane would be `s3express-use2-az1.us-east-2.amazonaws.com` and `s3express-use2-az1.dualstack.us-east-2.amazonaws.com` respectively.
The DNS record IP type affects how traffic is routed to your clients. If you create a gateway endpoint using the IPv4 service endpoint and then call the dualstack service endpoint, traffic that uses AAAA records won't be routed through the gateway endpoint. Traffic will be dropped or routed over an IPv6-compatible path if one is present. If you use a service-defined DNS record IP type, make sure your service can handle variable calls from multiple service endpoints.
Instead of the default DNS record IP type setting of [service-defined](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DnsOptionsSpecification.html), you can customize the DNS record IP type to choose which records are returned for a specific endpoint. The following table shows the supported DNS record IP types and the returned record types:
| DNS record IP type | Returned record types |
| --- | --- |
| IPv4 | A |
| IPv6 | AAAA |
| Dualstack | A and AAAA |
| service-defined | The records depend on the service endpoint |
To choose a DNS record IP type, you must use a compatible IP address type for the endpoint service. The following table shows the supported DNS record IP type for each IP address types for gateway endpoints:
| IP address type | Supported DNS record IP types |
| --- | --- |
| IPv4 | IPv4, service-defined\$1 |
| IPv6 | IPv6, service-defined\$1 |
| Dualstack | IPv4, IPv6, Dualstack, service-defined\$1 |
\$1 Represents the default DNS record IP type.
**Note**
To use DNS record IP types other than service-defined for your Gateway endpoint, you must allow `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC settings.
You can't change the DNS record IP type for a DynamoDB gateway endpoint. DynamoDB only supports the DNS record IP type of service-defined.
The DNS record IP type behavior is different for interface endpoints. For more information, see [DNS record IP type for interface endpoints](privatelink-access-aws-services.md#aws-services-dns-record-ip-type).
# Gateway endpoints for Amazon S3
You can access Amazon S3 from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to Amazon S3.
There is no additional charge for using gateway endpoints.
Amazon S3 supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see [Types of VPC endpoints for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3) in the *Amazon S3 User Guide*.
**Topics**
+ [
## Considerations
](#gateway-endpoint-considerations-s3)
+ [
## Private DNS
](#private-dns-s3)
+ [
## Create a gateway endpoint
](#create-gateway-endpoint-s3)
+ [
## Control access using bucket policies
](#bucket-policies-s3)
+ [
## Associate route tables
](#associate-route-tables-s3)
+ [
## Edit the VPC endpoint policy
](#edit-vpc-endpoint-policy-s3)
+ [
## Delete a gateway endpoint
](#delete-gateway-endpoint-s3)
## Considerations
+ A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets.
+ If you're using the Amazon DNS servers, you must enable both [DNS hostnames and DNS resolution](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating) for your VPC. If you're using your own DNS server, ensure that requests to Amazon S3 resolve correctly to the IP addresses maintained by AWS.
+ The rules for the security groups for your instances that access Amazon S3 through a gateway endpoint must allow traffic to and from Amazon S3. You can reference the ID of the [prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) for Amazon S3 in security group rules.
+ The network ACL for the subnet for your instances that access Amazon S3 through a gateway endpoint must allow traffic to and from Amazon S3. You can't reference prefix lists in network ACL rules, but you can get the IP address range for Amazon S3 from the [prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) for Amazon S3.
+ Check whether you are using an AWS service that requires access to an S3 bucket. For example, a service might require access to buckets that contain log files, or might require you to download drivers or agents to your EC2 instances. If so, ensure that your endpoint policy allows the AWS service or resource to access these buckets using the `s3:GetObject` action.
+ You can't use the `aws:SourceIp` condition in an identity policy or a bucket policy for requests to Amazon S3 that traverse a VPC endpoint. Instead, use the `aws:VpcSourceIp` condition. Alternatively, you can use route tables to control which EC2 instances can access Amazon S3 through the VPC endpoint.
+ The source IPv4 or IPv6 addresses from instances in your affected subnets as received by Amazon S3 change from public addresses to the private addresses in your VPC. An endpoint switches network routes, and disconnects open TCP connections. The previous connections that used public addresses are not resumed. We recommend that you do not have any critical tasks running when you create or modify an endpoint; or that you test to ensure that your software can automatically reconnect to Amazon S3 after the connection break.
+ Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.
+ Your account has a default quota of 20 gateway endpoints per Region, which is adjustable. There is also a limit of 255 gateway endpoints per VPC.
## Private DNS
You can configure private DNS to optimize costs when you create both a gateway endpoint and an interface endpoint for Amazon S3.
**Route 53 Resolver**
Amazon provides a DNS server, called the [Route 53 Resolver](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html), for your VPC. The Route 53 Resolver automatically resolves local VPC domain names and records in private hosted zones. However, you can't use the Route 53 Resolver from outside your VPC. Route 53 provides Resolver endpoints and Resolver rules so that you can use the Route 53 Resolver from outside your VPC. An *inbound Resolver endpoint* forwards DNS queries from the on-premises network to Route 53 Resolver. An *outbound Resolver endpoint* forwards DNS queries from the Route 53 Resolver to the on-premises network.
When you configure your interface endpoint for Amazon S3 to use private DNS only for the inbound Resolver endpoint, we create an inbound Resolver endpoint. The inbound Resolver endpoint resolves DNS queries to Amazon S3 from on-premises to the private IP addresses of the interface endpoint. We also add ALIAS records for the Route 53 Resolver to the public hosted zone for Amazon S3, so that DNS queries from your VPC resolve to the Amazon S3 public IP addresses, which routes traffic to the gateway endpoint.
**Private DNS**
If you configure private DNS for your interface endpoint for Amazon S3 but do not configure private DNS only for the inbound Resolver endpoint, requests from both your on-premises network and your VPC use the interface endpoint to access Amazon S3. Therefore, you pay to use the interface endpoint for traffic from the VPC, instead of using the gateway endpoint for no additional charge.
![\[Amazon S3 request routing with both endpoint types.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/s3-private-dns-default.png)
**Private DNS only for the inbound Resolver endpoint**
If you configure private DNS only for the inbound Resolver endpoint, requests from your on-premises network use the interface endpoint to access Amazon S3, and requests from your VPC use the gateway endpoint to access Amazon S3. Therefore, you optimize your costs, because you pay to use the interface endpoint only for traffic that can't use the gateway endpoint.
In order to configure this, the DNS record IP type of the gateway endpoint must match the interface endpoint or be `service-defined`. AWS PrivateLink doesn't support any other combination. For more information, see [DNS record IP type](gateway-endpoints.md#gateway-endpoint-dns-record-ip-type).
![\[Amazon S3 request routing with private DNS and an inbound Resolver endpoint.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/s3-private-dns-inbound-endpoint.png)
**Configure private DNS**
You can configure private DNS for an interface endpoint for Amazon S3 when you create it or after you create it. For more information, see [Create a VPC endpoint](create-interface-endpoint.md#create-interface-endpoint-aws) (configure during creation) or [Enable private DNS names](interface-endpoints.md#enable-private-dns-names) (configure after creation).
## Create a gateway endpoint
Use the following procedure to create a gateway endpoint that connects to Amazon S3.
**To create a gateway endpoint using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Choose **Create endpoint**.
1. For **Service category**, choose **AWS services**.
1. For **Services**, add the filter **Type = Gateway**.
If your Amazon S3 data is stored in general purpose buckets, select **com.amazonaws.***region***.s3**.
If your Amazon S3 data is stored in directory buckets, select **com.amazonaws.***region***.s3express**.
1. For **VPC**, select the VPC in which to create the endpoint.
1. For **IP address type**, choose from the following options:
+ **IPv4** – Assign IPv4 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges and the service accepts IPv4 requests.
+ **IPv6** – Assign IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets and the service accepts IPv6 requests.
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the service accepts both IPv4 and IPv6 requests.
1. For **Route tables**, select the route tables to be used by the endpoint. We automatically add a route that points traffic destined for the service to the endpoint network interface.
1. For **Policy**, select **Full access** to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select **Custom** to attach a VPC endpoint policy that controls the permissions that principals have to perform actions on resources over the VPC endpoint.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create endpoint**.
**To create a gateway endpoint using the command line**
+ [create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) (AWS CLI)
+ [New-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
## Control access using bucket policies
You can use bucket policies to control access to buckets from specific endpoints, VPCs, IP address ranges, and AWS accounts. These examples assume that there are also policy statements that allow the access required for your use cases.
**Example: Restrict access to a specific endpoint**
You can create a bucket policy that restricts access to a specific endpoint by using the [aws:sourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce) condition key. The following policy denies access to the specified bucket using the specified actions unless the specified gateway endpoint is used. Note that this policy blocks access to the specified bucket using the specified actions through the AWS Management Console.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-VPCE",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-1a2b3c4d"
}
}
}
]
}
```
**Example: Restrict access to a specific VPC**
You can create a bucket policy that restricts access to specific VPCs by using the [aws:sourceVpc](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc) condition key. This is useful if you have multiple endpoints configured in the same VPC. The following policy denies access to the specified bucket using the specified actions unless the request comes from the specified VPC. Note that this policy blocks access to the specified bucket using the specified actions through the AWS Management Console.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-VPC",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::example_bucket",
"arn:aws:s3:::example_bucket/*"],
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-111bbb22"
}
}
}
]
}
```
**Example: Restrict access to a specific IP address range**
You can create a policy that restricts access to specific IP address ranges by using the [aws:VpcSourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-vpcsourceip) condition key. The following policy denies access to the specified bucket using the specified actions unless the request comes from the specified IP address. Note that this policy blocks access to the specified bucket using the specified actions through the AWS Management Console.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-VPC-CIDR",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:PutObject", "s3:GetObject", "s3:DeleteObject"],
"Resource": ["arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"],
"Condition": {
"NotIpAddress": {
"aws:VpcSourceIp": "172.31.0.0/16"
}
}
}
]
}
```
**Example: Restrict access to buckets in a specific AWS account**
You can create a policy that restricts access to the S3 buckets in a specific AWS account by using the `s3:ResourceAccount` condition key. The following policy denies access to S3 buckets using the specified actions unless they are owned by the specified AWS account.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-bucket-in-specific-account",
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "111122223333"
}
}
}
]
}
```
## Associate route tables
You can change the route tables that are associated with the gateway endpoint. When you associate a route table, we automatically add a route that points traffic destined for the service to the endpoint network interface. When you disassociate a route table, we automatically remove the endpoint route from the route table.
**To associate route tables using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Manage route tables**.
1. Select or deselect route tables as needed.
1. Choose **Modify route tables**.
**To associate route tables using the command line**
+ [modify-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint.html) (AWS CLI)
+ [Edit-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
## Edit the VPC endpoint policy
You can edit the endpoint policy for a gateway endpoint, which controls access to Amazon S3 from the VPC through the endpoint. After you update an endpoint policy, it can take a few minutes for the changes to take effect. The default policy allows full access. For more information, see [Endpoint policies](vpc-endpoints-access.md).
**To change the endpoint policy using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Manage policy**.
1. Choose **Full Access** to allow full access to the service, or choose **Custom** and attach a custom policy.
1. Choose **Save**.
The following are example endpoint policies for accessing Amazon S3.
**Example: Restrict access to a specific bucket**
You can create a policy that restricts access to specific S3 buckets only. This is useful if you have other AWS services in your VPC that use S3 buckets.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-bucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
]
}
]
}
```
**Example: Restrict access to a specific IAM role**
You can create a policy that restricts access to a specific IAM role. You must use `aws:PrincipalArn` to grant access to a principal.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-IAM-role",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
}
}
}
]
}
```
**Example: Restrict access to users in a specific account**
You can create a policy that restricts access to a specific account.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-callers-from-specific-account",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "111122223333"
}
}
}
]
}
```
## Delete a gateway endpoint
When you are finished with a gateway endpoint, you can delete it. When you delete a gateway endpoint, we remove the endpoint route from the subnet route tables.
You can't delete a gateway endpoint if private DNS is enabled.
**To delete a gateway endpoint using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Delete VPC endpoints**.
1. When prompted for confirmation, enter **delete**.
1. Choose **Delete**.
**To delete a gateway endpoint using the command line**
+ [delete-vpc-endpoints](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoints.html) (AWS CLI)
+ [Remove-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
# Gateway endpoints for Amazon DynamoDB
You can access Amazon DynamoDB from your VPC using gateway VPC endpoints. After you create the gateway endpoint, you can add it as a target in your route table for traffic destined from your VPC to DynamoDB.
There is no additional charge for using gateway endpoints.
DynamoDB supports both gateway endpoints and interface endpoints. With a gateway endpoint, you can access DynamoDB from your VPC, without requiring an internet gateway or NAT device for your VPC, and with no additional cost. However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost. For more information, see [Types of VPC endpoints for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-ddb) in the *Amazon DynamoDB Developer Guide*.
**Topics**
+ [
## Considerations
](#gateway-endpoint-considerations-ddb)
+ [
## Create a gateway endpoint
](#create-gateway-endpoint-ddb)
+ [
## Control access using IAM policies
](#iam-policies-ddb)
+ [
## Associate route tables
](#associate-route-tables-ddb)
+ [
## Edit the VPC endpoint policy
](#edit-vpc-endpoint-policy-ddb)
+ [
## Delete a gateway endpoint
](#delete-gateway-endpoint-ddb)
## Considerations
+ A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your DynamoDB tables.
+ If you're using the Amazon DNS servers, you must enable both [DNS hostnames and DNS resolution](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating) for your VPC. If you're using your own DNS server, ensure that requests to DynamoDB resolve correctly to the IP addresses maintained by AWS.
+ The rules for the security groups for your instances that access DynamoDB through a gateway endpoint must allow traffic to and from DynamoDB. You can reference the ID of the [prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) for DynamoDB in security group rules.
+ The network ACL for the subnet for your instances that access DynamoDB through a gateway endpoint must allow traffic to and from DynamoDB. You can't reference prefix lists in network ACL rules, but you can get the IP address range for DynamoDB from the [prefix list](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html) for DynamoDB.
+ If you use AWS CloudTrail to log DynamoDB operations, the log files contain the private IP addresses of the EC2 instances in the service consumer VPC and the ID of the gateway endpoint for any requests performed through the endpoint.
+ Gateway endpoints support only IPv4 traffic.
+ The source IPv4 addresses from instances in your affected subnets change from public IPv4 addresses to private IPv4 addresses from your VPC. An endpoint switches network routes and disconnects open TCP connections. The previous connections that used public IPv4 addresses are not resumed. We recommend that you do not have any critical tasks running when you create or modify a gateway endpoint. Alternatively, test to ensure that your software can automatically reconnect to DynamoDB if a connection breaks.
+ Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with DynamoDB.
+ Your account has a default quota of 20 gateway endpoints per Region, which is adjustable. There is also a limit of 255 gateway endpoints per VPC.
## Create a gateway endpoint
Use the following procedure to create a gateway endpoint that connects to DynamoDB.
**To create a gateway endpoint using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Choose **Create endpoint**.
1. For **Service category**, choose **AWS services**.
1. For **Services**, add the filter **Type = Gateway** and select **com.amazonaws.***region***.dynamodb**.
1. For **VPC**, select the VPC in which to create the endpoint.
1. For **Route tables**, select the route tables to be used by the endpoint. We automatically add a route that points traffic destined for the service to the endpoint network interface.
1. For **Policy**, select **Full access** to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select **Custom** to attach a VPC endpoint policy that controls the permissions that principals have to perform actions on resources over the VPC endpoint.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create endpoint**.
**To create a gateway endpoint using the command line**
+ [create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) (AWS CLI)
+ [New-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
## Control access using IAM policies
You can create IAM policies to control which IAM principals can access DynamoDB tables using a specific VPC endpoint.
**Example: Restrict access to a specific endpoint**
You can create a policy that restricts access to a specific VPC endpoint by using the [aws:sourceVpce](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpce) condition key. The following policy denies access to DynamoDB tables in the account unless the specified VPC endpoint is used. This example assumes that there is also a policy statement that allows the access required for your use cases.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-from-specific-endpoint",
"Effect": "Deny",
"Principal": "*",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-east-1:111111111111:table/*",
"Condition": {
"StringNotEquals" : {
"aws:sourceVpce": "vpce-11aa22bb"
}
}
}
]
}
```
**Example: Allow access from a specific IAM role**
You can create a policy that allows access using a specific IAM role. The following policy grants access to the specified IAM role.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-from-specific-IAM-role",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
}
}
}
]
}
```
**Example: Allows access from a specific account**
You can create a policy that allows access from a specific account only. The following policy grants access to users in the specified account.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow-access-from-account",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "111122223333"
}
}
}
]
}
```
## Associate route tables
You can change the route tables that are associated with the gateway endpoint. When you associate a route table, we automatically add a route that points traffic destined for the service to the endpoint network interface. When you disassociate a route table, we automatically remove the endpoint route from the route table.
**To associate route tables using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Manage route tables**.
1. Select or deselect route tables as needed.
1. Choose **Modify route tables**.
**To associate route tables using the command line**
+ [modify-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint.html) (AWS CLI)
+ [Edit-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
## Edit the VPC endpoint policy
You can edit the endpoint policy for a gateway endpoint, which controls access to DynamoDB from the VPC through the endpoint. After you update an endpoint policy, it can take a few minutes for the changes to take effect. The default policy allows full access. For more information, see [Endpoint policies](vpc-endpoints-access.md).
**To change the endpoint policy using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Manage policy**.
1. Choose **Full Access** to allow full access to the service, or choose **Custom** and attach a custom policy.
1. Choose **Save**.
**To modify a gateway endpoint using the command line**
+ [modify-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint.html) (AWS CLI)
+ [Edit-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
The following are example endpoint policies for accessing DynamoDB.
**Example: Allow read-only access**
You can create a policy that restricts access to read-only access. The following policy grants permission to list and describe DynamoDB tables.
```
{
"Statement": [
{
"Sid": "ReadOnlyAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Resource": "*"
}
]
}
```
**Example: Restrict access to a specific table**
You can create a policy that restricts access to a specific DynamoDB table. The following policy allows access to the specified DynamoDB table.
```
{
"Statement": [
{
"Sid": "Allow-access-to-specific-table",
"Effect": "Allow",
"Principal": "*",
"Action": [
"dynamodb:Batch*",
"dynamodb:Delete*",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Update*"
],
"Resource": "arn:aws:dynamodb:region:123456789012:table/table_name"
}
]
}
```
## Delete a gateway endpoint
When you are finished with a gateway endpoint, you can delete it. When you delete a gateway endpoint, we remove the endpoint route from the subnet route tables.
**To delete a gateway endpoint using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Select the gateway endpoint.
1. Choose **Actions**, **Delete VPC endpoints**.
1. When prompted for confirmation, enter **delete**.
1. Choose **Delete**.
**To delete a gateway endpoint using the command line**
+ [delete-vpc-endpoints](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoints.html) (AWS CLI)
+ [Remove-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2VpcEndpoint.html) (Tools for Windows PowerShell)