By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to access S3 interface endpoint from on-premises using Direct Connect?

0

Hello, we've set up a hosted Direct Connect connection that we want to use to upload files to an S3 bucket using an S3 interface endpoint which has private DNS enabled. However, we cannot seem to access the bucket from on-premises. We can reach the interface endpoint with ping (see below) but cannot establish a connection to place objects in the bucket.

We've taken a few steps to troubleshoot:

  • The S3 interface endpoint's DNS name resolves to a private IP address in our subnet using dig *.vpce-def345-abc123.region.vpce.amazonaws.com +short
  • We can ping an EC2 instance which is in the same subnet as the interface endpoint using its private IP address
  • We can upload an object to the bucket from this EC2 instance using boto3 with a client like private_client = boto3.client(service_name="s3", region_name="region", endpoint_url="http://bucket.vpce-def345-abc123.region.vpce.amazonaws.com");. This implies there isn't an issue with the endpoint or bucket policy.
  • When we ping the interface endpoint from on-premises, it is recorded in the flow logs associated with the interface endpoint's ENI, like 2 <my-aws-account-id> eni-123 <my-ip> <my-eni-private-ip> 0 0 1 5 420 1709659481 1709659541 ACCEPT OK
  • The security group on the interface endpoint allows all outbound traffic (for debugging)
  • The network ACL on the subnet in which we've placed the interface endpoint allows all outbound traffic (for debugging)
  • The route table associated with the subnet has a route to send traffic destined for our on-premises network CIDR to the virtual private gateway
Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon VPCAWS Direct Connect
Language
English
mwhf
asked 2 months ago358 views
4 Answers
0

Hi, I see you mentioned that you allowed outbound on security group, but for connecting from on-premises to the S3 using S3 PrivateLink, you would also need to ensure that VPC Interface endpoint security group inbound rules allows your on-premise CIDR range on 443. I would suggest verifying this in the inbound rules of VPC endpoint security group.

psp
answered a month ago
0

Were you able to access bucket.vpce-def345-abc123.region.vpce.amazonaws.com from on-prem as you did from the EC2?

profile pictureAWS
EXPERT
AWS-User-alantam
answered 2 months ago
  • mwhf
    2 months ago

    We can resolve the DNS name, and when I ping that address it shows up in the flow logs for the endpoint with ACCEPT, but I cannot instantiate an S3 client and put an object in the bucket.

0

I would suggest using AWS CLI at on prem machine with list/describe s3 command with --debug option to see if its permission error, connectivity error etc. That may give some insight ?

Also what is in S3 policy ? any VPC CIDR or VPC ID level policy that might be blocking access?

Muhammad-Muha
answered 2 months ago
  • mwhf
    2 months ago

    Hi, thank you for your reply. The --debug option only tells me that the connection attempt timed out, which makes me think it's a connectivity error?

    The S3 policy should be OK - we're able to place objects in the bucket from an EC2 instance in the same subnet, so I think it must be the connection from on-premises.

0

From your syntax, looks like you are missing s3 in endpoint_url

https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#privatelink-aws-cli-examples

s3_client = session.client( service_name='s3', region_name='us-east-1', endpoint_url='https://bucket.vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com' )

psp
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content