Which feature enables private connectivity to AWS services from a VPC without traversing the public Internet?

Private connectivity to AWS services from a VPC without using the public Internet is achieved with VPC Endpoints. These endpoints create a private connection between your VPC and AWS services, so traffic stays on the AWS network instead of traversing the public Internet. There are two types: gateway endpoints for S3 and DynamoDB, which add a route to the endpoint in your route table, and interface endpoints (powered by PrivateLink) for many other services, which create elastic network interfaces in your subnets. Because traffic goes through the endpoint, you can rely on endpoint policies and VPC security groups to control access, and DNS can resolve service names to the private endpoint, making connectivity seamless. In contrast, Internet Gateways (public Internet access) and Route 53 Resolver (DNS resolution) by themselves do not provide private, Internet-free connectivity to AWS services.