Certified Security - Specialty

Sign Up Free or Log In to participate!

How is an Endpoint gateway more resilient than Endpoint interface?

It is mentioned that they are however the definition that AWS provides:

  • An interface endpoint is powered by PrivateLink, and uses an elastic network interface (ENI) as an entry point for traffic destined to the service.

  • A gateway endpoint serves as a target for a route in your route table for traffic destined for the service.

For PrivateLink they say it is a highly available, scalable technology that enables private access to services.

Therefore a specific Private links is as resilient as the service implemented behind it.  I cannot imagine AWS not doing their due diligence for implementing those services HA & scalable.

I guess the reasoning is that you have the ENI as single point of failure however an ENI is something virtual rather than a physical interface and in this case it would point to the NLB of the interface service so I don’t see how this is a single point of failure. (If I’m wrong please help me see).

I believe the difference between interface endpoint and gateway endpoint is not so much the resilience but rather the how it is implemented(For example for an S3 endpoint):

For a gateway the magic happens in the VPC router. Routes are injected there using the prefix list of the server.  In the example the public IPs of S3 will be in that prefix-list. Therefore the instance puts network packets on its interface and then VPC will know what to do with them.

For an interface endpoint the magic happens as a combination of (1) DNS and (2) the PrivateLink ENI.

So it is recommended you use Amazon provided DNS & Amazon provided hostnames because then AWS will take care of the DNS part.  If not you need to make sure that your instances are configured with a DNS service that resolved the public DNS name of the service (e.g. S3) is seen as a CNAME to the DNS name provided by the create interface endpoint.  

Due to this DNS resolution makes sure traffic will be sent to the ENI of the private link which will make sure your traffic arrives at the NLB.

So the only concern I see is that an Interface endpoint needs an interface in every AZ.  Because ENI’s exist within an AZ you would want to configure your AZ’s to use the DNS name for the endpoint in their AZ.  Such that you are not impacted by an AZ outage.  Where a gateway is regional out of the box. 

If you use Amazon provided DNS and hostnames and setup your endpoint to update Amazon provided DNS then the only thing you need to do is select a subnet in each AZ that is routable from the hosts you want to provide with S3 access.

Is that a correct understanding or are their other resilience difference between the two.

1 Answers

Hi,

I think your analysis is quite robust.
I have not checked all your facts, but it looks like you have canvassed the main issues.

Remember that AWS do not guarantee HA and resilience on all services. In fact they are quite up front that outages will happen and that ‘you’ the engineer are responsible for architecting to provider the level of HA and resilience you need.  You touched on this in you dialogue when you said that you would need an ENI in avery AZ (you are engineering to provide the resilience).

With a Endpoint gateway AWS take care of replacing failed appliance etc. to provide the contracted service.  With Endpoint Interface you need to manage the interfaces, what they are attached to and what happens if they fail for some reason.


Thank you for sharing your thinking on this.

Rusty

Moderator & Coach

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?