- Newest
- Most votes
- Most comments
Hello, based on the notes in the question, I am assuming that outside your AWS Organization as in your on-premises or other AWS accounts.
If its on-premises, S3 bucket endpoint URLs are internet accesible, and you would be able to directly access S3 buckets without needing NAT Gateway.
If its other AWS accounts, I would suggest using S3 Gateway VPC endpoint in the respective accounts and update the route table to point to S3 prefix list of that region as destination.
Yes, it is possible to configure your setup so that the VPC endpoint is used only for S3 buckets within your AWS organization, while a NAT gateway is used for external S3 buckets.
The key is to configure the route tables properly. The route table for the subnet(s) containing the VPC endpoint should have a route pointing to the VPC endpoint for the S3 prefix. The main route table (used by subnets without a custom route table) should point to the NAT gateway for the S3 prefix.
With this setup:
-
Requests to internal S3 buckets will route to the VPC endpoint and succeed if allowed by the endpoint policy
-
Requests to external S3 buckets will route to the NAT gateway and get translated to the Internet
-
Requests to internal buckets that are denied by the endpoint policy will fail/timeout rather than falling back to the NAT gateway
Please configure as per below steps:
-
Configure VPC endpoint route table to route S3 traffic to the endpoint
-
Configure main route table to route S3 traffic to the NAT gateway
-
Lock down endpoint policy to allow only internal S3
This will force internal vs external bucket traffic to take the desired paths.
Here is a good AWS doc that provide more details:
AWS Blog - Controlling access to VPC endpoints with VPC endpoint policies: https://aws.amazon.com/blogs/networking-and-content-delivery/controlling-access-to-vpc-endpoints-with-vpc-endpoint-policies/
I am afraid, but I cannot see this working.
- A route table can only be assigned to one subnet.
- When I have a separate subnet for VPCE with separate routing, then I will not have a route table entry for my NAT gateway. On the other hand, when the requester sits within a subnet with your called Default route table, then there will be no route table entry for VPCE.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 7 months ago- How can I configure my Amazon VPC to privately connect to my S3 bucket without using authentication?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
Hi, Thanks. I indeed mean in other AWS accounts. The S3 gateway endpoint unfortunately is no option, because it uses the Public Endpoint of the AWS service, means the traffic is routed via Public Internet. In addition, AWS S3 Gateway endpoints cannot be shared cross Accounts. "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3."
Regarding first observation, I don't know if it meets your requirement. However, please note that traffic remains in AWS network in both Gateway/Interface S3 endpoints, with Gateway VPCe using S3 public IP addresses.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
Regarding second observation, I think it meant you cannot extend out of a VPC where the other side is a VPN, VPC peering, transit gateway, or AWS Direct Connect connection. The reason I think this works is below article.
https://repost.aws/knowledge-center/ec2-al1-al2-update-yum-without-internet
The repo buckets are owned by Amazon, but customer AWS accounts would be able to access them with S3 Gateway VPCe.
Your comment really made me think about it again: Both, S3 Gateway Endpoint AND S3 Interface Endpoint stay on AWS internal network. Awesome.
Looking at S3 gateway endpoint: This can be used from a private subnet, that means, you do not assign a Public IP nor do you need an Internet Gateway in order to connect to S3 buckets. In fact, you CANNOT connect to S3 buckets outside of your AWS account / AWS organization - I just tested it via simple curl from a test-VM. You will get a timeout.
For all S3 buckets outside of your AWS account / AWS organization one can use a NAT gateway. One need to deploy an S3 gateway endpoint in each AWS account (instead of a centralized solution) with a central NAT gateway connected via TGW. This way the traffic between internal buckets and external are split.
As the traffic for S3 gateway endpoint stays within AWS network, this is exactly the solution which will work for us. Thanks for the input, psp!