Imagine the scale.
Amazon S3 stores objects and is optimized for very high-bandwidth data transfer.
Gateway Endpoints were specifically designed for these storage services.
Amazon Bedrock is an API-based service. Each request is similar to making an HTTPS API call such as:
InvokeModel
API services fit naturally behind PrivateLink.
Why doesn't S3 use an Interface Endpoint?
It could, but it would be inefficient.
Suppose you're uploading a 10 TB dataset for model training.
If every byte flowed through an ENI, it would introduce unnecessary complexity and cost.
Gateway Endpoints are optimized for this kind of traffic.
Visual Comparison
Gateway Endpoint
EC2/Lambda
│
Route Table
│
Gateway Endpoint
│
Amazon S3
Notice there is no network interface.
Interface Endpoint
EC2/Lambda
│
Security Group
│
Private ENI
│
PrivateLink
│
Amazon Bedrock
Notice the ENI and security group.
Security Differences
Gateway Endpoint
Security is controlled using:
Route tables
IAM policies
S3 bucket policies
DynamoDB policies
Endpoint policies
There are no security groups because there is no ENI.
Interface Endpoint
Security is controlled using:
Security groups
IAM policies
Endpoint policies
Because an Interface Endpoint has an ENI, it behaves like a network interface attached to your VPC.
Cost Comparison
Feature Gateway Endpoint Interface Endpoint
Hourly charge No Yes
Data processing charge No Yes (typically)
ENI created No Yes
Security groups No Yes
Route table entry Yes No (DNS resolves to ENI)
AI Workload Example
Suppose you're building a document Q&A system.
Documents
↓
Amazon S3
↓
Lambda
↓
Amazon Bedrock
↓
Secrets Manager
Recommended endpoints:
Service Endpoint Type Why
Amazon S3 Gateway Endpoint Efficient access to large document storage
Amazon Bedrock Interface Endpoint Private API calls to foundation models
AWS Secrets Manager Interface Endpoint Secure retrieval of credentials
Amazon CloudWatch Logs Interface Endpoint Private logging
AWS KMS Interface Endpoint Private encryption key operations
This minimizes internet exposure while using the most appropriate endpoint type for each service.
Exam Memory Trick
Think of it this way:
Gateway Endpoint = "Route me directly to a regional storage service."
➜ Used only for Amazon S3 and Amazon DynamoDB.
Interface Endpoint (PrivateLink) = "Give me a private network interface so I can call an API privately."
➜ Used for most AWS managed services, including Amazon Bedrock, AWS Secrets Manager, Amazon CloudWatch, AWS KMS, and many others.
Quick exam shortcut
If an AWS exam question asks:
"Need private access to Amazon S3 or DynamoDB?" → Choose a Gateway Endpoint.
"Need private access to almost any other AWS managed service (including Bedrock)?" → Choose an Interface Endpoint (AWS PrivateLink).
Remember that both keep traffic on the AWS network; they differ in how they provide that private connectivity and which services they support.