Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I check whether my Amazon S3 traffic goes through a gateway Amazon VPC endpoint or an interface Amazon VPC endpoint?

4 minute read
5

I want to check whether my Amazon Simple Storage Service (Amazon S3) traffic goes through a gateway Amazon Virtual Private Cloud (Amazon VPC) endpoint or an interface Amazon VPC endpoint.

Resolution

Check traffic flow over a gateway VPC endpoint

To check traffic flow over a gateway VPC endpoint, either use a TCP-based traceroute or configure Amazon S3 server access logging.

Use a TCP-based traceroute

Note: In the following commands, replace example-region-code with your AWS Region.

Run the following commands:

For HTTP

sudo traceroute -T -p 80 s3.example-region-code.amazonaws.com

For HTTPS

sudo traceroute -T -p 443 s3.example-region-code.amazonaws.com

Example output for traffic flow without a gateway endpoint:

traceroute to s3.us-east-1.amazonaws.com (16.182.42.160), 30 hops max, 60 byte packets
 1  * * *
 2  240.4.88.37 (240.4.88.37)  0.645 ms 240.4.88.43 (240.4.88.43)  0.529 ms 240.4.88.36 (240.4.88.36)  0.521 ms
 3  240.4.88.49 (240.4.88.49)  0.513 ms 240.4.88.48 (240.4.88.48)  0.505 ms 240.4.88.51 (240.4.88.51)  0.496 ms
 4  240.4.88.90 (240.4.88.90)  0.488 ms 240.4.88.85 (240.4.88.85)  0.588 ms 240.4.88.92 (240.4.88.92)  0.580 ms
 5  * * *
 6  s3-1.amazonaws.com (16.182.42.160)  0.504 ms  0.444 ms  0.675 ms

Note: Traffic flow over the internet has similar traceroute results as traffic flow without a gateway endpoint.

Example output for traffic flow with a gateway endpoint:

traceroute to s3.us-east-1.amazonaws.com (52.217.224.112), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  s3-1.amazonaws.com (52.217.224.112)  0.610 ms  0.692 ms  0.640 ms

Note: For traceroute outputs that have a gateway endpoint, only the last hop is visible. Traceroute results are similar for ports 80 and 443.

Configure Amazon S3 server access logging

To identify the source of the request, turn on Amazon S3 server access logging.

Check traffic flow over an interface VPC endpoint

To confirm the traffic flow through the Amazon S3 endpoint, check the IP address of the source resource that connects to Amazon S3. When you set up an interface Amazon VPC endpoint, AWS deploys an elastic network interface with a private IP address in the subnet. This deployment allows communication with Amazon S3 buckets from resources within the Amazon VPC and on-premises resources that connect to the Amazon VPC through AWS Direct Connect or AWS Site-to-Site VPN. It also allows communication with resources in other Amazon VPCs when you use centralized Amazon VPC endpoint architecture patterns.

Check whether you turned on private DNS for the S3 endpoint. If you turn on private DNS, then S3 endpoints resolve to the private endpoint IP addresses.

You can also turn on private DNS only for the inbound endpoint. If you turn on this option, then DNS queries for Amazon S3 that originate on-premises resolve to the private IP addresses of S3 interface endpoints. Amazon S3 DNS queries that originate within the VPC continue to use the gateway Amazon VPC endpoint and resolve to public IP addresses of Amazon S3.

Note: When you select enable DNS name for S3 interface endpoints, by default AWS turns on the Enable private DNS only for inbound endpoints option.

Use the Amazon CloudWatch ActiveConnections and BytesProcessed metrics to monitor your Amazon VPC endpoint usage. For more information, see Endpoint metrics and dimensions.

Related information

How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?

How do I troubleshoot connectivity issues with my gateway Amazon VPC endpoints?

Access an AWS service using an interface VPC endpoint

Choosing Your VPC Endpoint Strategy for Amazon S3

Topics
Networking & Content DeliveryStorage
Tags
Amazon VPCAmazon Simple Storage Service
Language
English
AWS OFFICIALUpdated 5 months ago
4 Comments

One of my customer is following this article and trying TCP based traceroute and seeing the below output:

traceroute to -T -p 443 s3.us-east-2.amazonaws.com, 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 s3.us-east-2.amazonaws.com 0.432 ms 0.449 ms *

It means the traffic is going through the gateway endpoint. However, they do not have any gateway emndpoint in their account or shared with account. Any insights on this behaviour.

AWS
replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Hi We have a S3 endpoint as an Interface setup in our account. This automatically creates the needful subnets with right security groups to the interfaces. We can resolve the endpoint from within our networks as we have the DX setup to allow private traffic from office network to our VPC's. We have then added 1 x bucket with a policy to allow specific vpc endpoint with aws:sourceVpce.

The issue is when we try to run the traceroute to this bucket , example : sudo traceroute -n -T -p 443 bucket_name.region.amazonaws.com : this does not go through our DX tunnels but via Internet.

When we try accessing the S3 Interface eni's , the routes reach via the tunnels. What are we doing wrong or missing here

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago

Relevant content