VPC endpoints and PrivateLink

By default, reaching a service like S3 from inside a VPC sends traffic out over the internet. VPC endpoints keep that traffic on the AWS network instead, never touching the internet. Gateway endpoints cover S3 and DynamoDB for free, and interface endpoints, powered by PrivateLink, cover most other services.