How can I configure cross-Region VPC interface endpoints for AWS services?

4 minute read
0

I want to configure cross-Region Amazon Virtual Private Cloud (Amazon VPC) endpoints to access AWS resources using a private link.

Short description

You can deploy resources such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon VPC, and Amazon Relational Database Service (Amazon RDS) in different AWS Regions. This deployment aids in high availability of the resources and provides faster data access to users. You can also deploy VPC gateway endpoints to access AWS public resources, such as Amazon Simple Storage Service (Amazon S3), through a private link. However, you can access these VPC gateway endpoints only from the same Region.

The following is an example scenario. You deploy an Amazon S3 gateway endpoint in the us-west-2 Region. You then have access to S3 buckets in us-west-2 through the gateway endpoint. Traffic to buckets in other Regions travels over the internet gateway of the VPC. If your source AWS resource is in a private subnet with a NAT gateway, then the traffic flows through the NAT gateway. Due to this traffic flow, the NAT gateway incurs higher charges than a VPC endpoint. Because there's no processing or hourly charges for using gateway VPC endpoints, Amazon S3 gateway endpoints are price efficient by default.

Note: The following example uses Amazon S3 interface endpoints for cross-Region traffic because gateway endpoints don't support cross-Region access. Use the same setup for any VPC interface endpoint.

Resolution

Use the following steps to create VPC peering between VPCs to access endpoints in a different Region.

Note: For this example resolution, the following variables are used:

  • VPC1(10.100.10.0/24) is in the us-east-1 Region.
  • VPC1 has an Amazon S3 interface endpoint.
  • VPC2(172.16.20.0/24) is in the us-east-2 Region.
  • Users from the us-east-2 Region want to access the S3 bucket in us-east-1. They want to use the Amazon S3 interface endpoint in us-east-1.

Configure VPC peering between VPC1 and VPC2

1.    Open the Amazon VPC console. Make sure that you are in the us-east-1 Region.

2.    Choose VPC peering connections.

3.    Choose Create peering connection.

4.    Enter a Name for the peering connection.

5.    For Select a local VPC to peer with, enter the VPC ID (in this example, the VPC ID for VPC1).

6.    In Select another VPC to peer with, for Account, select the relevant option depending on the following:

If this is a remote VPC that belongs to same AWS account, then choose My account.

If this isn't a remote VPC that belongs to the same account, then choose Another account, and then enter the Account ID.

7.    In Select another VPC to peer with, for Region, select Another Region. Then, enter the remote VPC ID that you want (in this example, the VPC ID for VPC2).

8.    Choose Create peering connection. The peering connection status changes to pending acceptance.

9.    Change the Region to us-east-2.

10.   Open the Amazon VPC console, and then choose VPC peering connections.

11.   Choose Actions, Accept request.

Update the subnet route table and route table target

1.    Add a route in the subnet route table for the us-east-1 endpoint for 172.16.20.0/24 (VPC2).

2.    Add a route in the user's route table target in us-east-2 for 10.100.10.0/24 (VPC1) as a peering connection (pcx-xxxxxxxxxxxxxx).

Access the S3 bucket

Access the S3 bucket using VPC endpoint FQDN from the remote VPC:

aws s3 --region us-east-1 --endpoint-url https://bucket.vpce-xxxxxxxxxxx.s3.us-east-1.vpce.amazonaws.com ls s3://my-bucket/

Troubleshooting

  • Make sure that local and remote VPC subnets' route tables have routes that target each other as peer connections.
  • The VPC endpoint permission policy must allow the remote VPC ID.
  • Security groups applied to VPC endpoints must allow the remote VPC subnets.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago