How can I access VPC Endpoints from On-Prem?


Hey folks,

I'd like for our on-prem uses of the AWS APIs to use the internal VPC Endpoints.

I kinda of assumed that it would be as simple as establish a tunnel from on-prem >> VPC then point at a Resolver and BAM, it would work. But having some trouble on the side provisioning the endpoints themselves.

From there I was working off this, but it is based on "SAM" and not really something I can reproduce myself easily

I setup a S3 endpoint and and it resolves on-prem to the VPC's IP. But even when specifying the internal endpoint in a aws s3 ls --endpoint-url ... the command times out. I am guessing there are some additional permission I need to set or routing that I don't have my head around.

I am out of ideas right now, any recipes (terraform preferred) you can point me to? Or reading on the subject?

thanks in advance,


  • Hi, You would need two things. you could create them manually without using the SAM template.

    1. DNS forwarding from on-premises to AWS
    2. A site-to-site VPN and security groups to allow the connectivity

    S3 endpoints are a bit different compared to VPC endpoints.

    S3 endpoint is a Gateway endpoint, which serves as a target for a route in your route table for traffic destined for the service where as VPC endpoint is a private Interface endpoint, which is powered by PrivateLink, and uses an elastic network interface (ENI) as an entry point for traffic destined to the service.

    PS: S3 can also have an interface endpoint.

  • So just for an update here. I have a tunnel working using Wireguard using a Linux EC2 instance, which is our company standard for such things. Would I be better off using some sort of Amazon service? Should it matter if the traffic terminates here? Not really having connectivity issues, my on-prem machines can resolve DNS.

    I went to create S3 Interface Endpoint and am stuck in some sort of error loop. Started a second thread on that ( ) specific issue.

    I CAN create an S3 Gateway endpoint but my undertanding is that will only work for services in the VPC and won't support my link from back on-prem.

asked 2 years ago3618 views
1 Answer

You're correct (from the comments) that a S3 Gateway Endpoint isn't the right thing to use because it only allows access from IP addresses within the VPC. That said, if you were using Wireguard to "get" to the VPC; then NAT on the instance terminating the Wireguard session so that the traffic appears to originate on that EC2 instance then that would work.

So let's assume you're using an Interface Endpoint (powered by PrivateLink). As long as the VPC has a route back to your on-premises machine (via your Wireguard instance) then you should be fine. Ensure that you have the EC2 source/destination check disabled on the instance terminating the Wireguard session otherwise that will get dropped.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions