- Newest
- Most votes
- Most comments
Hi, I see you mentioned that you allowed outbound on security group, but for connecting from on-premises to the S3 using S3 PrivateLink, you would also need to ensure that VPC Interface endpoint security group inbound rules allows your on-premise CIDR range on 443. I would suggest verifying this in the inbound rules of VPC endpoint security group.
Were you able to access bucket.vpce-def345-abc123.region.vpce.amazonaws.com from on-prem as you did from the EC2?
We can resolve the DNS name, and when I ping that address it shows up in the flow logs for the endpoint with ACCEPT, but I cannot instantiate an S3 client and put an object in the bucket.
I would suggest using AWS CLI at on prem machine with list/describe s3 command with --debug option to see if its permission error, connectivity error etc. That may give some insight ?
Also what is in S3 policy ? any VPC CIDR or VPC ID level policy that might be blocking access?
Hi, thank you for your reply. The --debug option only tells me that the connection attempt timed out, which makes me think it's a connectivity error?
The S3 policy should be OK - we're able to place objects in the bucket from an EC2 instance in the same subnet, so I think it must be the connection from on-premises.
From your syntax, looks like you are missing s3 in endpoint_url
s3_client = session.client( service_name='s3', region_name='us-east-1', endpoint_url='https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com' )
Good spot - I made a mistake sanitising my endpoint URL. I'm using something like https://bucket.vpce-abc234-def567.s3.region.vpce.amazonaws.com
The same syntax works when I used it from an EC2 instance in the same subnet as the interface endpoint.
Relevant content
- asked 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 7 months ago
Hi, thanks for taking a look! The interface endpoint's security group allows all traffic on all ports from my on-premise CIDR.
I should mention we're using a private VIF, I believe this should work but I've seen some contradictory information about this.
From your syntax, looks like you are missing s3 in endpoint_url
https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#privatelink-aws-cli-examples
s3_client = session.client( service_name='s3', region_name='us-east-1', endpoint_url='https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com' )