Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Private DNS name for S3 VPC endpoint

1

Good afternoon,

I have deployed an interface VPC endpoint for S3 and I would like to map it to my internal domain (e.g. s3.example.local). I have created a private PHZ and created an ALIAS record pointing to my VPC endpoint. This works; however I'm getting a TLS error because the certificate name doesn't match my internal name. I see the certificate assigned to the VPC endpoint is specific to the endpoint, so I was wondering if there was a way to somehow include a custom name into that certificate?

The other alternative I see would be to ignore SSL verification checks, but obviously I would like to avoid this.

Thanks! Fred.

Themen
SpeicherVernetzung & Bereitstellung von Inhalten
Tags
Amazon Simple Storage ServiceAmazon VPC
Sprache
English
fmereu
gefragt vor 2 Jahren3533 Aufrufe
2 Antworten
1

You're correct, you can't assign a Private DNS name to the S3 interface endpoint. It's called out in the documentation. You have to either use the name or (as you suggest) disable SSL verification but that's not recommended.

Update: We've now released a feature that provides private DNS support for PrivateLink: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 2 Jahren
0

Hi,

I was trying to access S3 from a VPC located in a different region (this because we don't want to go the public Internet for security reasons) and I believe there is a bit of lack of documentation on how to achieve this. We are already using the same approach for the other AWS services, but S3 is different, when you create then interface endpoint it returns you a wildcard and this does not allow to just create a standard Alias (A) record to the service. After a few tries I figure you can do a name redirection specifying a CNAME for *s3.<REGION>.amazonaws.com to <S3_INTERFACE_ENDPOINT_WILDCARD>, this allows you to access S3 Service over the VPC peering without the need to specify the --endpoint-url for all the commands.

In your case changing domain to something that is not native from AWS might still be a problem for the SSL cert, but as long as you link you DNS Resolver to this private DNS entry on AWS, you can use native naming convention without having to actually use AWS public endpoints to access the service.

Hope this helps!

BR, Michele

faccomichele
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt