# Using VPC endpoints to keep sensitive data in known networks
<a name="vpc-endpoints"></a>

Secrets should never be accessible over the internet. AWS offers options for maintaining privacy when routing traffic through known and private network routes.

When you're configuring traffic between AWS Secrets Manager and on-premises clients and applications, you can use either of the following approaches:
+ An [AWS Site-to-Site VPN VPN](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html) connection
+ An [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) connection

If you want to secure traffic between Secrets Manager and API clients with the same AWS Region, use [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) to create interface VPC endpoints. By using this option, you keep all traffic for the secret within your private network. For more information, see [Using an AWS Secrets Manager VPC endpoint](https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html).



![\[Using Amazon VPC service endpoints to connect to AWS Secrets Manager.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/secure-sensitive-data-secrets-manager-terraform/images/vpc-endpoints-secrets-manager.png)