What it is: A private connection between your VPC and supported AWS services without using the public internet.

What it’s for:

• Access services like S3/DynamoDB privately (improved security).
• Avoid NAT costs for S3/DynamoDB traffic (common optimization).

Types (exam-relevant):

• Gateway Endpoint: for S3 and DynamoDB (adds routes in route table).
• Interface Endpoint (PrivateLink): ENIs in your subnets for many services.

Exam cues:

• “private access to S3 without internet” → S3 VPC Endpoint (Gateway).
• “reduce NAT gateway data processing costs for S3” → use VPC Endpoint.

Hard words:

• *endpoint* /ˈendpɔɪnt/: điểm kết nối
• *private* /ˈpraɪvət/: riêng tư
• *interface* /ˈɪntərfeɪs/: giao diện (ở đây: interface endpoint)
• *ENI* /ˌiː en ˈaɪ/: Elastic Network Interface (card mạng ảo)