- 新しい順
- 投票が多い順
- コメントが多い順
Ok, thanks for the detailed answer.
I don't have much experience with VPC endpoints yet.
I create an endpoint to com.amazonaws.eu-central-1.s3 as gateway and what happens next?
How can I then access S3 from my EC2-instance via the endpoint?
Ok, I read the article and that's how I understand it:
- I create a endpoint in my VPC, type: gateway s3.eu-central-1
- I chance my routing table with the CIRDs of the S3-service in eu-central-1.
- Any s3 data traffic from my ec2-instance routed directly internally via the VPC and the S3 gateway.
From my instance, I make a "ping" to s3.eu-central-1.amazonaws.com. Now, ping gives me a IP address. The IP address is contained in the routing table.
How can I still check whether the traffic is really routed internally and not via the Internet gateway?
And, configuration ok?
Hello Hacky,
To check whether the traffic is flowing through VPC Endpoint or not, please refer to: https://repost.aws/knowledge-center/vpc-check-traffic-flow.
Also if you have followed the steps provided by Steve, then your configuration will be OK. Without reviewing the config it is hard to say if it is correct or not.
Hello Hacky,
If you are transferring the data to S3 bucket directly using the DNS address, the regardless of the the location of the bucket, you will be charged for data transfer as EC2 has a data transfer out charges as the data transfer will be considered as transfer out to internet. The pricing details are here.
However to eliminate the data transfer out charges, you can set up a VPC endpoint for your S3 bucket. That will ensure that the traffic flows over AWS network and remains secure.
Lots of detail in here, but it's worth persevering with https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
Without endpoints, EC2's access to the bucket goes out to the internet gateway (possibly via NAT Gateway), and from there across the public internet to the bucket. All uploads and downloads have to take that path.
With an endpont, it's as if the bucket is another resource in your VPC. Everything remains within AWS and never touches the public internet.