Back

VPC Endpoints for AWS S3

By default all the communication between servers (whether local or on AWS EC2-instance) and S3 is routed through the internet. Even though EC2 instances are also provided by AWS, all requests from EC2 to S3 routes through the public internet. Therefore, we will be charged for all this data transmission.

AWS S3

AWS S3 (Simple Storage Service) is one of the most well known services being offered by AWS. It provides a reliable, global and inexpensive storage option for large quantities of data. It can be used to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and Big Data Analytics.

Why do we need VPC Endpoint for S3?

VPC Endpoint for S3 provides us a secure link to access resources stored on S3 without routing through the internet. AWS doesn’t charge anything for using this service.

VPC Endpoint

VPC Endpoint for AWS services enables us to privately connect to AWS supported services without requiring an internet gateway, NAT device, or a VPN connection. Instances in our VPC do not require public IP addresses to communicate with AWS services.

Types of VPC Endpoints

  1. Interface Endpoint: It is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
  2. Gateway Endpoint: A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service.

Here we will talk about S3 VPC endpoints, which is a type of Gateway Endpoint.

Steps for creating a S3 VPC Endpoint

Let us create a S3 VPC endpoint from the AWS console:

  1. Open VPC dashboard under services option & locate Endpoints item in navigation bar and click on it. Choose the region where you want to create the VPC endpoint.
  2. Click on Create Endpoint, search for S3. Choose the VPC in which you want to add the endpoint.
  3. Choose a route table where you want to allow the use of an endpoint.
  4. Select policy, default Full Access which provides access for any AWS user to any S3 resource. VPC endpoint also allows us to create a policy to restrict access to only selected S3 resources. To create policy by your own, go with Custom option.

That’s it

We can create multiple endpoints in a single VPC, to multiple services. We can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.

Routing Rules for Gateway Endpoints

While creating S3 endpoint, we specified VPC route tables that will be attached with endpoint (step 3 & step 4). A route will be automatically added to the route table with a destination that specifies the prefix list id of the S3 service, like pl-xxxxxx and a target with the Endpoint ID starting with vpce, like vpce-xxxxxx.

Example 1:

In this example we have a route to the internet gateway with a destination of 0.0.0.0/0 that means all traffic from instances will be routed through the internet gateway. In this case all requests to other aws services like S3 will also route through internet gateway.

Example 2:

In this scenario, our instance don't have any access to internet but still can access the aws service to which we have created the VPC Endpoint, in our case it is S3.

Example 3:

In this example, we have an internet gateway added to our VPC and also an endpoint has been created. All the traffic from subnet destined to S3 in the same region will route through S3 VPC endpoint and does not go to the internet gateway. All other traffic goes to the internet gateway including traffic destined to other aws services.

Before adding S3 VPC Endpoint:

After adding S3 VPC Endpoint:

Conclusion

AWS VPC Endpoints acts as a logical link between different aws services, that is fully secure and free to use. It doesn’t leave aws network but routes through aws internal network. Instances having no access to the internet can still access different aws services by using Endpoints.

References

Wajahat Lateef