- Newest
- Most votes
- Most comments
The AWS blog below is in Japanese, but I think it matches what you want to do.
I am using a VPN to access an S3 static hosting site from on-premises by creating an interfaced VPC endpoint and using it as a target for NLB.
https://aws.amazon.com/jp/blogs/news/internal-static-web-hosting/
Gateway endpoints are not transitive and can only be used by resources running on the same VPC as the endpoints. from the documentation:
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3.
So you need to use S3 interface endpoint instead of gateway endpoint.
You can create a route53 inbound Resolver endpoint under the same VPC and set your company's DNS server to forward the DNS queries to the endpoint for your domain (URL). This way you when your on-prem clients wants to reach the bucket they will get routed through the endpoint in order to reach the bucket. I suggest you read the this blog post to help you understand it better: https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/
Ok, I can try this approach, but I believe also would need to modify URL on which I am trying to access website by incorporating endpoint details? Maybe you have have any examples?
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
In this blog, an ALB is used instead of NLB. Is there a difference in this scenario? Also, is ACM mandatory? My website is going to be accessed by multiple people so all of them would need to install certificates on their machines? We are using Tailscale VPN, what if would add it's IP's to bucket policy? Sorry, if my questions doesn't make sense, I not an expert on this matter.
Since the access is via HTTP, I think you should use ALB.
ACM is not required. This is required if you want to perform HTTPS communication using a custom domain. It is possible to create an ACM SSL certificate in the public domain and link it to a private ALB.
In order to apply IP restrictions to the bucket policy, I think the following policy would be used. The following policy is a policy that only allows access via VPC endpoints. This will make it impossible to access S3 via communication that does not go through the VPC.