How can I access my Amazon S3 bucket over Direct Connect?

3 minute read
1

I want to access my Amazon Simple Storage Service (Amazon S3) bucket over AWS Direct Connect. How can I do that?

Short description

You can establish access to Amazon S3 in the following ways:

  • Use a public IP address over Direct Connect
  • Use a private IP address over Direct Connect (with an interface VPC endpoint)

Resolution

Use a public IP address over Direct Connect

To connect to Amazon S3 using a public IP address over Direct Connect, perform the following steps:

Note: This configuration doesn't require an Amazon Virtual Private Cloud (Amazon VPC) endpoint for Amazon S3. A VPC endpoint isn't required because on-premises traffic can't traverse the Gateway VPC endpoint.

  1. Create a connection. You can request a dedicated connection or hosted connection.
  2. Establish a cross-network connection with the help of your network provider.
  3. Create a public virtual interface for your connection.
  4. Configure an end router to use with the public virtual interface. For more information on configuring your router, see How do I connect my private network to AWS public services using an AWS Direct Connect public VIF?

After the BGP is up and established, the Direct Connect router advertises all global public IP prefixes, including Amazon S3 prefixes. Traffic heading to Amazon S3 is routed through the Direct Connect public virtual interface. The public virtual interface is routed through a private network connection between AWS and your data center or corporate network.

Use a private IP address over Direct Connect (with an interface VPC endpoint)

To access Amazon S3 using a private IP address over Direct Connect, perform the following steps:

  1. Create a connection. You can request a dedicated connection or hosted connection.
  2. Establish a cross-network connection with the help of your network provider.
  3. Create a private virtual interface for your connection.
    Note: Users can also access Amazon S3 endpoints using a transit virtual interface. For more information, see Transit gateway associations across accounts.
  4. Configure an end router to use with the private virtual interface. For more information about configuring your router, see How do I configure routing for my Direct Connect private virtual interface?
    Note: You can use this setup with a Direct Connect gateway between a private virtual interface (private VIF) and a virtual private gateway (VGW).
  5. Create an interface VPC endpoint for Amazon S3 in a VPC that is associated with the virtual private gateway. The VGW must connect to a Direct Connect private virtual interface. This interface VPC endpoint resolves to a private IP address even if you turn on a VPC endpoint for S3.
  6. When you access Amazon S3, use the same DNS name provided under the details of the VPC endpoint. For more information on AWS PrivateLink and DNS considerations, see Secure hybrid access to Amazon S3 using AWS PrivateLink. For more examples, see AWS Command Line Interface (AWS CLI) examples or AWS SDK example.
    Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Related information

AWS PrivateLink for Amazon S3

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
3 Comments

Why can't a Gateway VPC Endpoint be used instead of a Interface VPC Endpoint?

C
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

Why can't a Gateway VPC Endpoint be used instead of a Interface VPC Endpoint?

I'm guessing because you don't need to? With a Gateway Endpoint, the DNS name for S3 public name is resolved to public address in the AWS prefix lists. When resolving from inside the VPC, the VPC resolver does this and the route table entry you add pointing the prefix list range to the GW Endpoint takes care of routing that traffic through private connectivity. For the hybrid networking scenario, you don't really need your S3 traffic to go through the VPC router, because with a public VIF, DX advertises the AWS service public prefixes to the client side router [1]. Traffic directly gets routed through the public VIF.

With an interface EP for S3, the endpoint URL resolves to a VPC private IP address (because that's the ENI that is created in the subnet when you create the EP). You need a private VIF in DX to route to that range.

Someone let me know if my thinking is wrong here?

1 - https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html#advertise-prefixes

cd
replied 9 days ago