- Newest
- Most votes
- Most comments
Whether it's a pre-signed URL or not isn't relevant here, a pre-signed URL is still a web address of the form https://[bucketname].s3.[region].amazonaws.com/ and anything trying to access it will try and route to that in the normal way, which will more than likely be over the public internet (at least to start with, if you are using something like Global Accelerator then the traffic will get off the public internet and onto the AWS network sooner).
You mention that you have a private-only vpc, that contains an s3 bucket - buckets are not contained within a VPC. You may have setup an endpoint in a VPC and configured a route that allows resources in that VPC to access the bucket without going across the public internet. But this by itself doesn't prevent the public internet being a source of inbound access to the bucket, this is access that can be limited using bucket policies, e.g.:
Restrict bucket access to a specific IP range https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-IP
Restrict bucket access to a specific VPC https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html#example-bucket-policies-restrict-access-vpc
If the Salesforce SaaS client is running within a subnet of a VPC that has a route to a VPC endpoint that allows access to the S3 bucket then these GETs and PUTs are not going over the public internet. If the client is running elsewhere (e.g. on-prem, or in another cloud somewhere else) then the access will be over the public internet. The only exception to this would be some specific networking config that would force the (e.g.) on-prem client to go across a VPN or DX link to the VPC, and then use the endpoint to get to the bucket privately. But I think if there was something like that in place then you probably wouldn't be asking this question.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 years ago
Thank you for your answer,
we have chosen to use a pre-signed URL to 1- avoid transiting thousands of files over the PrivateLink and then void potential bottlenecks, 2 - provateLink seem to be a bit expensive if we transit thousands of files/seconds over the AWS private link
are those a correct assumptions?
Thank you!
Whether pre-signed URLs are used or not isn't going to make a difference to #1 - if routing/endpoints/etc. are setup for the client to be able to access the bucket over PrivateLink then PrivateLink will be used.
#2 depends on the number of files, and the size of each file, and the cumulative size of all the data.