- Le plus récent
- Le plus de votes
- La plupart des commentaires
You are correct, connectivity to an S3 Gateway endpoint would not work but connectivity to an S3 Interface endpoint should work. Suggest following troubleshooting steps mentioned here. Before trying the connectivity remotely from the ClientVPN client I suggest testing the connectivity locally from within the VPC where your ClientVPN endpoint is spun up. Also note that ClientVPN does an SNAT so traffic to the destination will be sourced by the ENI of the CVPN endpoint, so need to make sure those IPs are whitelisted as necessary.
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints (using AWS PrivateLink).
A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.
Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on premises, or from a VPC in another AWS Region using VPC peering or AWS Transit Gateway.
Looks like VPC endpoint does not support static website ,it will need a proxy which does not fit our requirement
Contenus pertinents
- demandé il y a 4 mois
- demandé il y a un an
- demandé il y a 2 mois
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
Thank you for your answer, Now I'm using VPC endpoint interface type and I'm still receiving 403 forbidden , I tried Vpc and Vpce conditions to allow access via the s3 bucket policy but still not managing to get the static website working via aws client vpn ( auth rules allows public s3 IPs , and security group of the VPN endpoint as well) Additionally I allowed the private IPs of the VPC endpoint on the security group, those are from the same VPC where VPN endpoint is created. Thanks again for the support. My IAM/s3 policy might not be the best , here is my IAM policy
{ Statement = [ { Action = "s3:GetObject" Condition = { StringEquals = { aws:SourceVpc = "vpc-819" } } Effect = "Allow" Principal = "arn:aws:iam::yyyyprodyyy:root" Resource = "arn:aws:s3:::bucket.com/" Sid = "" }, { Action = "s3:" Condition = { StringEquals = { aws:SourceVpce = "vpce-ab" } } Effect = "Allow" Principal = { AWS = "arn:aws:iam::xxxnetworkxx:root" } Resource = "arn:aws:s3:::bucket.com/*" Sid = "" }, ] }