By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

access S3 through public vif

0

Dear Team - i have setup public VIF on London region. I am restricting aws ip range advertisement through aws community so only London region s3 Bucket is accessible. However, i am still able to access Virgina location S3 bucket from on-prem test machine running behind the router in UK. How do i make sure that when i access london S3 bucket, it is using public VIF and Virgina region s3 bucket not using Public VIF ?

Topics
Networking & Content Delivery
Tags
AWS Direct Connect
Language
English
JD
asked 3 months ago212 views
1 Answer
1
Accepted Answer

Hello.

Please use the traceroute command to check the route to the S3 endpoint.
https://repost.aws/knowledge-center/direct-connect-connectivity-issues

3. Perform a traceroute from on-premises to AWS to check if the traffic is being forwarded over the Direct Connect public VIF.

  • If traffic is being forwarded over the public VIF, then the traceroute should have the local (on-premises) and remote(AWS) peer IPs associated.
  • If you need to check the network path used within AWS, then launch a public Amazon Elastic Compute Cloud (Amazon EC2) instance. The instance must have the same Region as your AWS service. After launching the instance, perform a traceroute to on-premises. If the traceroute indicates traffic is being forwarded over the internet or through a different VIF, then there could be a specific route being advertised.
profile picture
EXPERT
Riku_Kobayashi
answered 3 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed a month ago
  • JD
    3 months ago

    i did use traceroute. it is completed for London S3 but not completed for us-east S3. However, upload completes for both the buckets. both uses amazon side public VIF in first hop

  • Riku_Kobayashi EXPERT
    3 months ago

    I'm not sure what settings you have on your on-premises router etc., but is it possible that S3 in the Virginia region is also configured to connect via DirectConnect?

  • JD
    3 months ago

    i am using sample config provided on aws public vif page for cisco router.... ip bgp-community new-format ip community-list standard FROM-AWS permit 7224:8100 route-map FROM-AWS permit 100 match community FROM-AWS router bgp XXXXX address-family ipv4 neighbor X.X.X.X route-map FROM-AWS in

  • Riku_Kobayashi EXPERT
    3 months ago

    Can you check the routing table with something like "show ip route"? Check the route in BGP in the routing table. It may be possible that your BGP route includes a Virginia region prefix.

  • JD
    3 months ago

    it does include Virginia region S3 prefix. dont know why. because as per above config, it should only advertized london region. However Tracer route does not complete for virginia region S3 prefix but upload is getting successful through aws s3 cp command

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content