How to verify that application in EC2 is using VPC endpoint to communicate with Dynamodb?

I have a Java application which is deployed in EC2 and communicate with Dynamodb. I have enable VPC endpoint (Gateway endpoint) for Dynamodb. But I didn't notice any performance improvement with this change. Theoretically I should see less latency via VPC endpoint compared to public access. Also based on the tcpdump, I can see our application is still using public IP of dynamodb to communicate.

Here 52.119.232.38 is dynamodb public IP. How can I verify that our application in EC2 is using VPC endpoint to communicate with Dynamodb ?

• Both EC2 and VPC endpoint enable for same VPC.

You can use AWS cloudtrail to verify this. If you only connect to DynamoDB from the application hosted on AWS network which has the associated VPC Gateway Endpoint, then you should only see private IPs in the Source IP field in the Cloudtrail logs. If you see other public IPs, then it means the DyanmoDB is being accessed over the internet.

• Go to AWS Cloudtrail and filter for EventSource dynamodb.amazonaws.com
• If you don't see any cloudtrail event, ensure you choose the time period when you expect the application has accessed DynamoDB or manually ssh into the EC2 instance and run some cli commands aws dynamodb list-tables and then wait for 10-15 mins for this new event to appear.
• Click on the settings icon to show the Source IP address for the events
• The Source IP address for the event should be from the CIDR range of your VPC (And in this case the private IP of the EC2 instance)
• You can click on the event name and view the raw event which would have a key vpcEndpointId with the value same as the id of the VPC Endpoint

If the source ip is not a private IP of the EC2 instance, ensure the applicable route tables are updated with the gateway endpoint entry by following the To add or remove route tables used by a gateway endpoint section of the link here