Avoiding Pitfalls When Using Amazon DynamoDB Interface VPC Endpoints

Amazon DynamoDB now supports AWS PrivateLink as of March 19, 2024. This feature allows you to securely access DynamoDB from your Amazon Virtual Private Cloud (VPC) without exposing your traffic to the public internet.

However, unlike VPC endpoints for other AWS managed services, the AWS PrivateLink for Amazon DynamoDB does not support the Private DNS feature. This means that if your subnets are configured with only a DynamoDB Interface VPC endpoint, the public DNS name of the DynamoDB service (e.g., dynamodb.us-east-1.amazonaws.com in the us-east-1 region) cannot be resolved in those subnets.

As a result, you cannot share the same code to connect to the DynamoDB endpoint via the internet or a Gateway VPC endpoint when using Interface VPC endpoints. Instead, when you create an interface endpoint, DynamoDB generates two types of endpoint-specific DNS names: Regional and zonal. You must specify your own endpoint information when creating the DynamoDB client.

1# replace the Region us-east-1 and VPC endpoint ID https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com with your own information.
2ddb_client = session.client(

As an experienced AWS developer, it's easy to assume that the newly launched DynamoDB Interface VPC endpoint behaves like other AWS managed services, allowing you to continue using existing code to initialize the DynamoDB client in isolated subnets. However, this assumption would be incorrect and could lead to issues.😂😂😂

Make sure to update your application code to use the endpoint-specific DNS names or the endpoint URL when working with DynamoDB Interface VPC endpoints. You can find more examples in the AWS documentation.