VPC Endpoints with S3

February 24, 2021 / Nirav Shah

Create VPC Endpoint For S3 Bucket In AWS

Generally speaking, we cannot connect to a public subnet through a private subnet. But with AWS we can do that by NAT gateway or NAT Instance, but this service also costs us some dollars.

But still, if we are required to work with private subnet to public subnet we can use VPC endpoint. So let’s start to understand what VPC endpoint is and how it works.

A VPC endpoint is a service by which you can connect to AWS service via Private Subnet.

• VPC Endpoint is a virtual device.
• VPC Endpoint is available for many services in AWS.

VPC Endpoints keynotes

• By VPC endpoint users can privately connect their VPC to supported AWS services
• VPC Endpoint connects with a private IP address, and access over the Internet, NAT device, a VPN connection to communicate with resources in the service.
• VPC Endpoints is a virtual device that is horizontally scaled and highly available
• Endpoint policies must be written in JSON format.
• Endpoint policy does not override or replace IAM user policy

S3 bucket connect to VPC endpoint step by step

Step-1 Create two EC2 instances: One in the public subnet and another one in a private subnet.

For this, you need to create another VPC and create one VPC in which create one public and one private subnet.

At the time of EC2 launch select one for Public Subnet and one for Private Subnet.

Public EC2 may communicate with the Internet, while Private EC2 instance may not able to communicate with the internet.

Step 2 Create one S3 bucket and provide it Public Access so we can access it from the Publicly.

Step 3 Configure ‘aws configure’ in your Public EC2 terminal asper the below snap. And try to access the S3 bucket. You will get the list of S3 because you are accessing it from the Public Instance.

#aws configure
        #aws s3 ls

Step 4 Now take the access of Private Subnet via Public subnet and configure ‘aws configure’. And try to access S3 bucket list, But you are not able to access it because you are in Private Subnet.

Step 5 Go to the VPC Console and click on the Endpoints.

Create Endpoints

Step 6 Select S3 service from the service name and select the private subnet from the earlier create VPC.

Step 7 VPC Endpoint created successfully.

Step 8 Now take the Private Instance access and try to list the AWS S3 bucket list. You will see that you are able to access the public bucket from the Private Subnet. This is because of VPC endpoints.

VPC Endpoints Limitations

• VPC endpoints support IPv4 traffic only.
• It’s only supported within the same Region. You cannot create an endpoint between a VPC and a service in a different Region.
• VPC Endpoints cannot transfer an endpoint from one VPC to another.

 

For more information, you can check our blog on how to create VPC Flow log and save it in AWS S3.

Also Read: How to recreate the deleted default VPC in AWS

FAQs: 

1. What are the benefits of using VPC endpoints for S3?

2. How do you check if S3 VPC endpoint is working?

3. How do I access S3 from VPC endpoint?