Changes

**A '''NAT Gateway ''' is a managed service whereas a '''NAT Instance ''' is your own managed self-deployed instance. The managed is automatically scalable and offers some other advantages, but you'll pay for the privilege. A NAT instance can double as a bastion host (or "jump host" for SSH), but since you're managing it, you'll need to do the extra work for "features".** AWS example at https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html

*55. VPC Endpoints<br>[[File:Service Provider Model - VPC endpoint service.png|thumb|right|Service Provider Model]]VPC Endpoints<ref>[https://blog.awsfundamentals.com/vpc-endpoints AWS Fundamentals Blog]</ref> offer a highly secure and efficient method for connecting your AWS resources to specific AWS services, ensuring that your data remains within the AWS network, and minimizing exposure to the public internet. There are two types:**'''VPC Interface Endpoints''' create an '''Elastic Network Interface''' (ENI) in the private subnet of your EC2 instance, connecting to public services like AWS API Gateway, AWS CloudFormation, AWS CodeDeploy and AWS CloudWatch. ***As VPC interface endpoints utilize '''AWS PrivateLink''', you'll be [https://aws.amazon.com/privatelink/pricing/ charged for those endpoints by the hour] and by the introduced data transfer.***IAM policies can be applied to endpoints. So, Security can be provided by Security Groups***Bucket policies can limit access to endpoint source.**'''VPC Gateway Endpoint''' uses a route table entry to provide private network access to "public" AWS services with no added costs. However, only AWS S3 or AWS DynamoDB are supported.***Security is provided by VPC Endpoint Policies.