using presigned urls to privetly exchange files

0

Hi everyone,

I have a private-only vpc, that contains an s3 bucket to allow Salesforce Saas to upload/download files in/from my bucket.

Salesforce Saas uses a pre-signed URL generated by a lambda function running in my VPC to PUT/GET files in my S3 bucket,

I would like to know whether files transmitted between my VPC and the Salesforce SaaS client (via the pre-signed URL) traverse the public internet or utilize AWS's private network infrastructure?

in general, when using pre-signed URLs for GET/PUT objects it go over the public internet?

Thank you for clarifications!

1 Answer
1

Whether it's a pre-signed URL or not isn't relevant here, a pre-signed URL is still a web address of the form https://[bucketname].s3.[region].amazonaws.com/ and anything trying to access it will try and route to that in the normal way, which will more than likely be over the public internet (at least to start with, if you are using something like Global Accelerator then the traffic will get off the public internet and onto the AWS network sooner).

You mention that you have a private-only vpc, that contains an s3 bucket - buckets are not contained within a VPC. You may have setup an endpoint in a VPC and configured a route that allows resources in that VPC to access the bucket without going across the public internet. But this by itself doesn't prevent the public internet being a source of inbound access to the bucket, this is access that can be limited using bucket policies, e.g.:

Restrict bucket access to a specific IP range https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-IP

Restrict bucket access to a specific VPC https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc

If the Salesforce SaaS client is running within a subnet of a VPC that has a route to a VPC endpoint that allows access to the S3 bucket then these GETs and PUTs are not going over the public internet. If the client is running elsewhere (e.g. on-prem, or in another cloud somewhere else) then the access will be over the public internet. The only exception to this would be some specific networking config that would force the (e.g.) on-prem client to go across a VPN or DX link to the VPC, and then use the endpoint to get to the bucket privately. But I think if there was something like that in place then you probably wouldn't be asking this question.

profile picture
EXPERT
Steve_M
answered 10 months ago
  • Thank you for your answer,

    we have chosen to use a pre-signed URL to 1- avoid transiting thousands of files over the PrivateLink and then void potential bottlenecks, 2 - provateLink seem to be a bit expensive if we transit thousands of files/seconds over the AWS private link

    are those a correct assumptions?

    Thank you!

  • Whether pre-signed URLs are used or not isn't going to make a difference to #1 - if routing/endpoints/etc. are setup for the client to be able to access the bucket over PrivateLink then PrivateLink will be used.

    #2 depends on the number of files, and the size of each file, and the cumulative size of all the data.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions