Friday, July 3, 2026

Why doesn't Bedrock use a Gateway Endpoint?

Imagine the scale.

Amazon S3 stores objects and is optimized for very high-bandwidth data transfer.

Gateway Endpoints were specifically designed for these storage services.

Amazon Bedrock is an API-based service. Each request is similar to making an HTTPS API call such as:


InvokeModel

API services fit naturally behind PrivateLink.

Why doesn't S3 use an Interface Endpoint?

It could, but it would be inefficient.

Suppose you're uploading a 10 TB dataset for model training.

If every byte flowed through an ENI, it would introduce unnecessary complexity and cost.


Gateway Endpoints are optimized for this kind of traffic.

Visual Comparison

Gateway Endpoint

EC2/Lambda

      │

 Route Table

      │

 Gateway Endpoint

      │

Amazon S3


Notice there is no network interface.

Interface Endpoint

EC2/Lambda

      │

Security Group

      │

Private ENI

      │

PrivateLink

      │

Amazon Bedrock

Notice the ENI and security group.

Security Differences

Gateway Endpoint

Security is controlled using:


Route tables

IAM policies

S3 bucket policies

DynamoDB policies

Endpoint policies


There are no security groups because there is no ENI.

Interface Endpoint

Security is controlled using:

Security groups

IAM policies

Endpoint policies


Because an Interface Endpoint has an ENI, it behaves like a network interface attached to your VPC.

Cost Comparison

Feature Gateway Endpoint Interface Endpoint

Hourly charge No Yes

Data processing charge No Yes (typically)

ENI created No Yes

Security groups No Yes

Route table entry Yes No (DNS resolves to ENI)

AI Workload Example


Suppose you're building a document Q&A system.


Documents



Amazon S3



Lambda



Amazon Bedrock



Secrets Manager


Recommended endpoints:


Service Endpoint Type Why

Amazon S3 Gateway Endpoint Efficient access to large document storage

Amazon Bedrock Interface Endpoint Private API calls to foundation models

AWS Secrets Manager Interface Endpoint Secure retrieval of credentials

Amazon CloudWatch Logs Interface Endpoint Private logging

AWS KMS Interface Endpoint Private encryption key operations


This minimizes internet exposure while using the most appropriate endpoint type for each service.


Exam Memory Trick


Think of it this way:


Gateway Endpoint = "Route me directly to a regional storage service."

➜ Used only for Amazon S3 and Amazon DynamoDB.

Interface Endpoint (PrivateLink) = "Give me a private network interface so I can call an API privately."

➜ Used for most AWS managed services, including Amazon Bedrock, AWS Secrets Manager, Amazon CloudWatch, AWS KMS, and many others.

Quick exam shortcut


If an AWS exam question asks:


"Need private access to Amazon S3 or DynamoDB?" → Choose a Gateway Endpoint.

"Need private access to almost any other AWS managed service (including Bedrock)?" → Choose an Interface Endpoint (AWS PrivateLink).


Remember that both keep traffic on the AWS network; they differ in how they provide that private connectivity and which services they support.


No comments:

Post a Comment