Accessing S3 using VPC endpoints
VPC endpoint enables creation of private connection between VPC to the supported AWS services.
As an example use case, we want to accessing S3 bucket from the EC2, we may need to access it over the public Internet. By travel out from our VPC to the public internet and than come back to AWS S3 infrastructure again to retrieve the file which will actually increase the latency for the connection.
Since S3 and EC2 both also within the AWS infrastructure, so AWS come out with a service call VPC endpoint which allow us to accessing the content in S3 without going through the public Internet. But this service only work with the condition your VPC and the S3 bucket must be in the same region. When we accessing the S3 bucket using the AWS internal network, it’s not only reduce the latency for the network, but it’s actually reduce the cost as well.
Another good example is that when you want your server which located in the private subnet without the internet access to get the content from your S3 bucket, this is the best and simple solution for you.
There are two type of VPC endpoints:
Interface endpoint is an elastic network interface (ENI) with a private IP address from the IP address range of user’s subnet that serves as entry point for traffic destined to a supported service. It’s enables you to privately access services by using private IP address.
Gateway Endpoint is a gateway that you specific as a target for a route in your route table for traffic destined to a supported AWS service. Currently only supports S3 and DynamoDB services.
For the demo purpose, I use back the stack that I created in the previous post and I login to my private EC2 using the SSH forwarding over my bastion host, when I try to access the S3 using the , it’s acutally unable to do that.
Because the private EC2 which I created in the private subnet actually don’t have the access to internet, that mean it’s also don’t have the access to any of my S3 bucket.
To create the VPC Endpoint, just login to your AWS VPC console and click on , than click on Create Endpoint. To create the S3 endpoint, just select AWS services, filter the service name S3, and select the VPC which you like to create the end point to.
I select the demo VPC which created using the Terraform, and route table I want to add the new route to. For the permission, I gave the full access permission to all, you actually can limit the access by supply the custom policy.
Click on submit than the VPC Endpoint is created.
To double confirm is our VPC Endpoint created and work correctly, you may go to the Route Table console, than check is there any new route being added, as per above printscreen, AWS actually created a new route in my private route table.
Let’s try to access the S3 from my private EC2 again, see what’s the result
Again back to my private EC2, I try to ping google.com to check my internet access, it’s actually still fail to go to the internet.
Than I try to access my S3 bucket again and see, yes, it’s success listed the content in my bucket.
This show that even my private server don’t have the public internet access, yet I still able to access to my S3 bucket which located in the same region with my server.
It’s always recommended to use VPC endpoint to access the S3 bucket in the same region because you not only reduce the network latency but also able to cut your AWS bills. Since the accessing S3 is within AWS network, the data transfer price is at the minimum level.
Additional code for the previous post, you may create another terraform file call endpoint.tf with the following code to automate the creation of the VPC Endpiont
resource "aws_vpc_endpoint" "private-s3" {
vpc_id = aws_vpc.demovpc.id
service_name = "com.amazonaws.ap-southeast-1.s3" route_table_ids = [ aws_route_table.PrivateRouteTable.id ] policy = <<POLICY {
"Statement": [ {
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
} ]
}POLICY depends_on = [aws_vpc.demovpc, aws_subnet.private_subnet]}
Originally published at https://tech.david-cheong.com on June 7, 2020.