-: Hey, everyone and welcome back.

Now in today's video, we'll be discussing about one

of the very interesting topics, which is VPC endpoints.

Now, before we go ahead and discuss more in detail

about the VPC endpoints,

let's take a simple use case where a communication

is required between a EC2 instance and S3 bucket.

Now, we already know that for EC2 instance

to be able to communicate with various public services

like S3, DynamoDB and others,

the traffic ultimately needs to be passed via the internet

and that happens via the internet gateway.

So the traffic goes through the internet

to reach the public S3 endpoint.

So, if we look into it in architectural perspective,

the EC2 instances that are available,

let's assume it is in a public subnet.

The traffic first reaches the internet gateway,

from the internet gateway it reaches

to the S3 public endpoint towards the S3 bucket.

Now this is all good, however, there are certain challenges

that are introduced specifically

whenever the workloads are private.

Let's assume that you have a private subnet

where you have created a EC2 instance.

Now, this EC2 instance wants to communicate

with the S3 bucket.

Now, since there is no direct route that is available

via the internet gateway, the EC2 instance will not be able

to do a communication with S3.

Now, one of the question that comes is

why don't you directly put a NAT gateway

and then the communication can go via the S3 bucket?

So this is good.

But many times in lot of organizations,

the workloads are very sensitive.

So they host very sensitive data

and auditors strictly recommends that the EC2 instances

should not be able to communicate

towards the internet directly or indirectly.

So in such cases,

the challenge becomes that the EC2 instance

will not be able to communicate

with the AWS services as well.

So this is one of the challenges

that many of the organization they face.

Now also, some of the downsides,

specifically whenever you are making use

of a public internet.

First one is that there are data transfer costs

that are involved.

Let's say that you are uploading

as well as downloading terabytes of data

from EC2 to S3 or vice versa.

Then you'll have to also pay for the data transfer cost.

There'll also be a higher latency,

specifically if a large amount of data travels

over the internet.

It can also bottleneck your internet gateways,

specifically when you have large amount

of data that is being uploaded or downloaded.

And also, you have a security reasons as well.

Now, in order to overcome these challenges

AWS has introduced a feature called as VPC endpoints.

So at a high level overview,

VPC endpoints allows us to connect VPC

to another AWS services or to other supported services

over AWS private network.

And this is a big advantage.

So now, let's say, instance in a private subnet

wants to communicate with the S3 bucket.

Assuming that you do not really have a NAT gateway

even internet gateway.

With the help of VPC endpoint,

this EC2 instance will be able to perfectly communicate

to the S3 bucket.

So instead of the internet gateway,

now you have the VPC endpoint.

And this entire network communication that we are discussing

it goes over the AWS private network.

It does not go towards the internet.

And this is the high level overview

about the benefits of VPC endpoint.

So before we conclude,

let's go ahead and have a quick demo associated

with the VPC endpoints.

Now for today's demo, I have two EC2 instances

that are available.

One is in the public subnet

and second is in the private subnet.

This is very similar to the diagram that we are discussing.

You have a EC2 instance in public

and you have a EC2 instance in private.

Now the EC2 instance in public subnet has a direct route

towards the internet gateway.

And the EC2 instance in a private subnet does not have

any associated route with the internet gateway.

Now, let me also show you this.

So, we have this VPC and within this VPC,

so within here, there are two subnets that are available.

One is the public subject.

As we already know, if we look into the route table,

one of the route goes towards directly the internet gateway.

And if we explore the private subnet,

you see it does not have any route

towards internet gateway or NAT gateway.

So you just have a local route that is available.

So, let's do one thing.

What we'll do is we'll go ahead

and connect to the private EC2 instance here.

Now, since this private EC2 instance does not have

any internet route, we cannot directly connect to it.

So what we'll do, we'll first connect to the public EC2.

And from the public EC2,

we'll go ahead and connect to the private EC2 instance.

So let's do one thing.

Let's go ahead and quickly connect

to the public EC2 instance here.

So the first SSS that we are doing,

it's towards the public EC2.

All right, let's quickly go to the route user

and now we'll go ahead and connect

to the EC2 instance in a private subnet.

And we are connecting the other private IP.

So let's go ahead and connect it.

And as expected, things are working well.

Now from this private EC2, if I'll quickly do AWS S3 Ls.

I'll also specify region.

Let's say ap-northeast-3.

As expected, you will not see any result

primarily because there is no way of routing

this specific traffic towards the S3.

So now, I also have the VPC endpoint

that is already created.

Let's go ahead and associate this endpoint

with the route table,

which is associated with a private subnet.

So let me go ahead and do that.

So now from the EC2 instance,

let's go ahead and run the AWS S3 Ls command here again.

And now you see things are working perfectly well.

Now this traffic that we were discussing,

this traffic is going the other VPC endpoint.

So let me also show you this.

So within this subnet of private subnet here,

if I'll quickly go to the route tables here.

Apart from one of the routes that was present,

you also have one more route

with the target of VPC endpoint.

So now, automatically whenever the traffic

from the EC2 instance,

when it is destined to go towards the S3 URLs,

the traffic will be routed via this specific route.

So this route is where the traffic will be routed to

and it will be routed to the VPC endpoint

through which the communication happens to the S3 bucket.

Great.

So I hope at a high level overview,

you understood the basics of VPC endpoint.

Not only it helps us in the data transfer cost,

it gives us the lower latency.

There is no longer a bottleneck at a internet gateway

and you also have a better security.

And now, one of the question that comes is

why a better security?

Primarily because ultimately even at the S3 level,

the traffic between the EC2 and S3 is always encrypted.

So do note at a high level overview,

even when we discuss about the https,

TLS also has some vulnerabilities

that always are released after a certain amount of time.

So it is always better when it comes to sending the traffic

over a AWS private network

rather than sending over the internet.

And this is one of the things that auditors

are also happy about,

specifically for the sensitive workload

if you are sending the traffic over the private network.

That's great.

So I hope with this, you understood the basics

of VPC endpoints and will conclude today's video.