- Newest
- Most votes
- Most comments
Bear in mind that using public IP addressing does not necessarily mean "public internet". Indeed, looking at the VPC FAQ we state When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network.
In reality, because S3 uses TLS the security benefit here comes down to the endpoint policies allowing you to restrict access to specific S3 buckets rather than anything else.
And because the traffic between regions goes over the same backbone network whether you are using public IP addresses or private IP addresses (via VPC or Transit Gateway peering) the latency difference will be negligible.
S3 Gateway Endpoints are zero cost but can only be accessed from within the VPC that they are created in. S3 PrivateLink endpoints can be accessed from other peered VPCs but they do come with a cost to do that.
In summary: Choose the architecture which is lowest cost and meets your requirements.
I would go with the VPC peering and interface endpoint.
Have you considered using S3 replication to each region? Then have a Gateway endpoint on each VPC.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated 10 months ago