- Newest
- Most votes
- Most comments
If you want the instances in the public subnet to use the S3 Gateway Endpoint, add the same rule that exists in the private route table that routes S3 public endpoint IPs to the gateway endpoint. If you add this, this rule will take precedence over the rule to route all traffic to the internet gateway.
Hi,
Based on your architecture - If you deploy your EC2 instance in public subnet and transfer date to s3, it will use IGW for data transfer to S3. Looks like you have deployed your S3 endpoint in private subnet. When you do so automatically a route is added in the private route table pointing to the s3 endpoint which traverses amazon backbone to hit your s3 bucket. This traffic is all private and won't be traversing the internet.
Please be advised that interface Endpoint for S3, also known as AWS PrivateLink for S3, allows you to establish a private connection between your VPC and S3 by using Elastic Network Interfaces (ENIs). Unlike VPC S3 Gateway Endpoint [1], which relies on VPC route tables, S3 Interface Endpoint [2] leverages AWS PrivateLink technology.
References:
[1] https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
[2] https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html
An EC2, in either a public or private subnet will attempt to route to the internet to reach S3.
If you want to keep the data transfer away from the internet, you should set up an S3 VPC endpoint gateway. This provisions an S3 gateway in your VPC route table, allowing instances to access S3 via the gateway rather than over the internet
When you create an S3 Gateway Endpoint in your VPC, it will be added to the routing tables of the subnets you select. For those subnets, the routing table is updated with a route to the S3 PrivateLink connection. This route in the routing table will have a prefix_id list which is essentially an IP list of all the S3 public interfaces in the region. Since this route is more specific than the 0.0.0.0/0 route to the internet, all traffic intended for an S3 bucket in the region will go over the private link.
If you want to verify the traffic routing, you can do a tracert to the bucket from the EC2 instance with and without the Gateway Endpoint. Another option is to use the S3 VPC Endpoint. It does incur a small charge but then you have the ability to restrict access to an S3 bucket to the specific S3 VPC Endpoint.
Hi All,
Thanks a lot for taking your time and replying to my query.
Relevant content
- asked 5 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
Hi @kentrad,
Thanks for your comment and I did changes as per the guide provided. I have a few observations, request to clarify if possible. I did ping and traceroute from EC2 to S3
https://repost.aws/questions/QU5morJc1MRRS5dr332Avm_g/data-transfer-from-ec2-to-s3-privately#ANOuBii508RzaOH3a_LPmAUA