1 Answer
- Newest
- Most votes
- Most comments
0
You're correct (from the comments) that a S3 Gateway Endpoint isn't the right thing to use because it only allows access from IP addresses within the VPC. That said, if you were using Wireguard to "get" to the VPC; then NAT on the instance terminating the Wireguard session so that the traffic appears to originate on that EC2 instance then that would work.
So let's assume you're using an Interface Endpoint (powered by PrivateLink). As long as the VPC has a route back to your on-premises machine (via your Wireguard instance) then you should be fine. Ensure that you have the EC2 source/destination check disabled on the instance terminating the Wireguard session otherwise that will get dropped.
Relevant content
- asked 9 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
Hi, You would need two things. you could create them manually without using the SAM template.
S3 endpoints are a bit different compared to VPC endpoints.
S3 endpoint is a Gateway endpoint, which serves as a target for a route in your route table for traffic destined for the service where as VPC endpoint is a private Interface endpoint, which is powered by PrivateLink, and uses an elastic network interface (ENI) as an entry point for traffic destined to the service.
PS: S3 can also have an interface endpoint.
So just for an update here. I have a tunnel working using Wireguard using a Linux EC2 instance, which is our company standard for such things. Would I be better off using some sort of Amazon service? Should it matter if the traffic terminates here? Not really having connectivity issues, my on-prem machines can resolve DNS.
I went to create S3 Interface Endpoint and am stuck in some sort of error loop. Started a second thread on that ( https://repost.aws/questions/QUeJsY_nepTvmJeBc_iZUPdw/how-do-i-create-a-vpc-endpoint-for-s-3-interface ) specific issue.
I CAN create an S3 Gateway endpoint but my undertanding is that will only work for services in the VPC and won't support my link from back on-prem.