- Newest
- Most votes
- Most comments
No, even if your AWS resources communicate with each other in the same AWS Region, the network traffic doesn't go over the internet. However, you do need to use resources such as a NAT Gateway (which incurs additional costs), and an internet gateway (IGW) to make VPC go over the internet. Even traffic between two AWS Regions (such as from your Amazon EC2 instance with a public IP address to an S3 bucket in another commercial Region) will go over AWS Global Backbone. From Building a Scalable and Secure Multi-VPC AWS Network Infrastructure whitepaper:
All network traffic between regions is encrypted, stays on the AWS global network backbone, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
To avoid using an IGW, consider using a VPC endpoint.
See also the Amazon VPC FAQ, which states:
Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?
No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.
In addition, all data flowing across the AWS global network that interconnects our data centers and Regions is automatically encrypted at the physical layer before it leaves our secured facilities. Additional encryption layers exist as well; for example, all VPC cross-region peering traffic, and customer or service-to-service Transport Layer Security (TLS) connections.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago