By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Enable private DNS only for inbound endpoint

0

Dear Team - As per, https://aws.amazon.com/blogs/storage/introducing-private-dns-support-for-amazon-s3-with-aws-privatelink/ and https://aws.amazon.com/about-aws/whats-new/2023/03/amazon-s3-private-connectivity-on-premises-networks/,

These options allow you to advantage of the lowest-cost private network path without having to make code or configuration changes to your clients.

Before this also, we could create the interface S3 endpoint and was able to connect from on-prem through resolver endpoint. At the same time, as per my understanding, we were able to connect S3 internally from VPC through Gateway endpoint as per old blog https://aws.amazon.com/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/.

**So question is, how the new "Enable private DNS only for inbound endpoint" feature is cost effective compare to without this feature ? **

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon VPCAWS PrivateLinkAmazon Route 53
Language
English
JD
asked 8 months ago455 views
1 Answer
0
Accepted Answer

This is because you don’t pay for S3 gateways and I believe if you had S3 endpoints and a gateway, the endpoints would override the gateway.

With this new feature, you can run both endpoints and Gateways where hosts in a VPC use a gateway and your on prem uses the endpoints.

You pay for transfer over endpoints where you do not over the gateway. This is where the costs differ. By using Gateway in the VPC you do not need to pay for transfers.

profile picture
EXPERT
Gary Mclean
answered 8 months ago
  • JD
    8 months ago

    Thanks a lot for the Answer. Do you have reference document which state below

    " if you had S3 endpoints and a gateway, the endpoints would override the gateway."

  • Gary Mclean EXPERT
    8 months ago

    Yes, it’s in the 2nd link of your question. Technically it would override the gateway, You’d have to target the s3 buckets using the custom dns names assigned to your endpoints and access to buckets would be via these endpoints. If you do not use custom names then the gateway would would route public ip addresses for s3 buckets via the s3 gateway. I never included this in my answer, apologies.

    The enablement of DNS names allows on prem to resolve all s3 buckets to the endpoint. Because you cant route transitively to an s3 gateway you have to use endpoints

  • JD
    8 months ago

    thank you for the reply

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content