diff --git a/infra/aws/terraform/kops-infra-ci/vpc.tf b/infra/aws/terraform/kops-infra-ci/vpc.tf
index 3c12d9344f5..c89e05f5ed6 100644
--- a/infra/aws/terraform/kops-infra-ci/vpc.tf
+++ b/infra/aws/terraform/kops-infra-ci/vpc.tf
@@ -101,3 +101,51 @@ module "vpc" {
     "region" = "${data.aws_region.current.name}"
   })
 }
+
+################################################################################
+# VPC Endpoints
+################################################################################
+
+module "vpc_endpoints" {
+  providers = {
+    aws = aws.kops-infra-ci
+  }
+
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.2"
+
+  vpc_id = module.vpc.vpc_id
+
+  # Security group
+  create_security_group      = true
+  security_group_name_prefix = "${local.prefix}-vpc-endpoints-"
+  security_group_description = "VPC endpoint security group"
+  security_group_rules = {
+    ingress_https = {
+      description = "HTTPS from VPC"
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+    }
+  }
+
+  endpoints = merge({
+    s3 = {
+      service         = "s3"
+      service_type    = "Gateway"
+      route_table_ids = module.vpc.private_route_table_ids
+      tags = {
+        Name = "${local.prefix}-s3"
+      }
+    }
+    },
+    { for service in toset(["autoscaling", "ecr.api", "ecr.dkr", "ec2", "ec2messages", "eks-auth", "elasticloadbalancing", "events", "sts", "kms", "logs", "sqs", "ssm", "ssmmessages"]) :
+      replace(service, ".", "_") =>
+      {
+        service             = service
+        subnet_ids          = module.vpc.private_subnets
+        private_dns_enabled = true
+        tags                = { Name = "${local.prefix}-${service}" }
+      }
+  })
+
+  tags = var.tags
+}