AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How can I access my Amazon S3 bucket over Direct Connect?
I want to access my Amazon Simple Storage Service (Amazon S3) bucket over AWS Direct Connect.
Resolution
Use a public IP address to access your bucket
Note: This configuration doesn't require an Amazon Virtual Private Cloud (Amazon VPC) endpoint for Amazon S3 because on-premises traffic can't cross the gateway VPC endpoint.
Complete the following steps:
- Request a Direct Connect dedicated connection.
Note: You must request a hosted connection from your AWS Direct Connect Partner, and then accept your hosted connection. - Download a Letter of Authorization and Connecting Facility Assignment (LOA-CFA) to establish a cross-network connection.
- Create a public virtual interface for your connection.
- Configure an end router to use with the public virtual interface.
Note: For more information, see How do I connect my private network to AWS public services using an AWS Direct Connect public VIF?
After you establish the Border Gateway Protocol (BGP) session for your public virtual interface, the Direct Connect router advertises all global public IP prefixes, including S3 prefixes. Traffic to Amazon S3 routes through the Direct Connect public virtual interface. The public virtual interface routes through a private network connection between AWS and your data center or corporate network.
Use a private IP address with an interface VPC endpoint to access your bucket
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Complete the following steps:
- Request a Direct Connect dedicated connection.
Note: You must request a hosted connection from your AWS Direct Connect Partner, and then accept your hosted connection. - Download an LOA-CFA to establish a cross-network connection.
- Create a private virtual interface for your connection.
Note: You can also access S3 endpoints when you use a transit virtual interface. For information, see Transit gateway associations across AWS accounts. - Configure an end router to use with your private virtual interface.
Note: You can use this configuration with a Direct Connect gateway between a private virtual interface and a virtual private gateway. For more information, see How do I configure routing for my Direct Connect private virtual interface? - Create an interface VPC endpoint for Amazon S3 in a VPC that's associated with your virtual private gateway.
Note: The virtual private gateway must connect to a Direct Connect private virtual interface. The interface VPC endpoint resolves to a private IP address even when you turn on a VPC endpoint for Amazon S3. You can't use a gateway VPC endpoint because your on-premises network can't access it. For more information, see Gateway endpoints for Amazon S3. - When you access Amazon S3, use the same DNS name that's in your VPC endpoint.
Note: For more information about AWS PrivateLink and DNS options, see Secure hybrid access to Amazon S3 using AWS PrivateLink. For examples, see AWS CLI examples or AWS SDK examples.
Related information
- Language
- English
Why can't a Gateway VPC Endpoint be used instead of a Interface VPC Endpoint?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Why can't a Gateway VPC Endpoint be used instead of a Interface VPC Endpoint?
I'm guessing because you don't need to? With a Gateway Endpoint, the DNS name for S3 public name is resolved to public address in the AWS prefix lists. When resolving from inside the VPC, the VPC resolver does this and the route table entry you add pointing the prefix list range to the GW Endpoint takes care of routing that traffic through private connectivity. For the hybrid networking scenario, you don't really need your S3 traffic to go through the VPC router, because with a public VIF, DX advertises the AWS service public prefixes to the client side router [1]. Traffic directly gets routed through the public VIF.
With an interface EP for S3, the endpoint URL resolves to a VPC private IP address (because that's the ENI that is created in the subnet when you create the EP). You need a private VIF in DX to route to that range.
Someone let me know if my thinking is wrong here?
Routing to the gateway endpoint depends on the route tables of the VPC, and route tables do not support the use of DNS endpoints for on prem. (in response to the comment above)
Relevant content
- asked 5 months ago
- asked a year ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
