diff --git a/.gitignore b/.gitignore
index 5b3ad8c..86b4f39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,4 +6,5 @@
 .DS_Store
 *.iml
 .idea
-cred.txt
+.terraform.lock.hcl
+*.log
diff --git a/modules/networking/vpc-endpoints/main.tf b/modules/networking/vpc-endpoints/main.tf
new file mode 100644
index 0000000..a9582ed
--- /dev/null
+++ b/modules/networking/vpc-endpoints/main.tf
@@ -0,0 +1,65 @@
+resource "aws_vpc_endpoint" "vpc-interface-ep" {
+  for_each = toset(var.interface-ep-services)
+  vpc_id            = data.aws_vpc.this-vpc.id
+  service_name      = "com.amazonaws.ap-east-1.${each.value}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids = [
+    aws_security_group.generic-ep-sg.id,
+  ]
+
+  # deploy to all subnets
+  subnet_ids = data.aws_subnets.this-subnets.ids
+
+  private_dns_enabled = true
+  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
+}
+
+resource "aws_security_group" "generic-ep-sg" {
+  name        = "HttpsAccessToVpcEndpoints"
+  description = "HttpsAccessToVpcEndpoints"
+  vpc_id      = data.aws_vpc.this-vpc.id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge({"Name": "VpcEpAccess"},var.default-tags)
+}
+
+resource "aws_vpc_endpoint" "vpc-gateway-ep" {
+  for_each = toset(var.gateway-ep-services)
+  vpc_id            = data.aws_vpc.this-vpc.id
+  service_name      = "com.amazonaws.ap-east-1.${each.value}"
+  vpc_endpoint_type = "Gateway"
+
+  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
+}
+
+data aws_vpc this-vpc {
+  id = var.vpc-id
+  lifecycle {
+    postcondition {
+      condition     = self.enable_dns_support == true
+      error_message = "The selected VPC must have DNS support enabled."
+    }
+  }
+}
+
+data aws_subnets this-subnets {
+  filter {
+    name = "vpc-id"
+    values = [var.vpc-id]
+  }
+}
\ No newline at end of file
diff --git a/modules/networking/vpc-endpoints/provider.tf b/modules/networking/vpc-endpoints/provider.tf
new file mode 100644
index 0000000..e327cd6
--- /dev/null
+++ b/modules/networking/vpc-endpoints/provider.tf
@@ -0,0 +1,11 @@
+terraform {
+  # requires 1.3.0 for postcondition validation
+  # https://learn.hashicorp.com/tutorials/terraform/custom-conditions
+  required_version = "~> 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.75.2"
+    }
+  }
+}
diff --git a/modules/networking/vpc-endpoints/variables.tf b/modules/networking/vpc-endpoints/variables.tf
new file mode 100644
index 0000000..a6cb8c8
--- /dev/null
+++ b/modules/networking/vpc-endpoints/variables.tf
@@ -0,0 +1,11 @@
+variable vpc-id {}
+variable interface-ep-services {
+  type = list
+}
+variable gateway-ep-services {
+  type = list
+  default = ["s3","dynamodb"]
+  description = "Gateway endpoints are free, so deploy for all supported services by default."
+}
+variable default-tags {}
+variable resource-prefix {}
\ No newline at end of file