By using AWS re:Post, you agree to the Terms of Use

S3 Interface Endpoint

0

Right now there are two types of VPC Endpoint for S3, the Gateway and Interface Endpoints. Regarding the Interface endpoints, there are two kinds of endpoints, global (com.amazonaws.s3-global.accesspoint) and regional (com.amazonaws.us-east-1.s3). Here are my questions:

  1. What are the differences between the two?
  2. In what particular scenario(s) can we use those endpoints?
  3. And when accessing the S3 interface endpoints via java SDK, there are also two kinds of endpoints, "accesspoint.vpce......vpce.amazonaws.com" and "bucket.vpce......vpce.amazonaws.com", which should I use to access a bucket and download the objects keys of that bucket?
  4. And what are the differences between the two, "accesspoint.vpce..." and "bucket.vpce...."

Thanks in advance,

3 Answers
0
Accepted Answer

What are the differences between the two?

Those two S3 interface endpoints has different purpose. Global S3 interface interface is for S3 Multi Region Access Points and the other one is for normal use cases.

In what particular scenario(s) can we use those endpoints?

As I said, global s3 interface is for multi region access points so if you plan to use multi region access points and you want to access the bucket privately, you should use gloabal s3 interface endpoint. If you don't have plan to use multi region access points, you don't need to use it but you can use s3 interface endpoint to access S3 bucket or single region access point privately.

And when accessing the S3 interface endpoints via java SDK, there are also two kinds of endpoints, "accesspoint.vpce......vpce.amazonaws.com" and "bucket.vpce......vpce.amazonaws.com", which should I use to access a bucket and download the objects keys of that bucket?

If you use multi regsion access point, you should use S3 interface endpoint starts with "access.vpce..". If not, you should use s3 interface endpoint starts with "bucket.vpce".

And what are the differences between the two, "accesspoint.vpce..." and "bucket.vpce...."

I explained the difference between two difference S3 interface endpoint. If there is no difference except sub domain name between two different DNS names, it should be same type of S3 interface endpoint.

Please refer to below.

S3 interface endpoint for Multi Region Access Points should be like ".vpce-randomvalue.accesspoint.s3-global.region-code.vpce.amazonaws.com" S3 interface endpoint for all other usecases should be like ".vpce-randomvalue.region-code.vpce.amazonaws.com"

Here is some explanation about "Configuring a Multi-Region Access Point for use with AWS PrivateLink" use case.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointsPrivateLink.html

answered 8 months ago
  • Thank you. It is clear now. Tough, I have another question.

    For S3 Multi Region Access Points, I need to create S3 Access point to the bucket that I want to access to, right? Without S3 access point in the bucket, I can't use the "Global S3 interface interface", right?

  • There are two types of S3 Access Points. If you want to have multi region access point, you must create Multi Region Access Point. In this case, you can use S3 Global interface endpoint if you want to access it privately. Without S3 Global interface endpoint, you can access multi region access point with public endpoint.

    If you want to use just single region access point to the bucket, you can use normal S3 Access Point. In this case, you can use S3 interface endpoint(not global one) if you want to access the AP privately.

    Thanks Eunsu

0

Interface endpoints work the same way that all other AWS service interface endpoints work; they appear as a local IP in your VPC (probably multiple - one per AZ) and can be reached by resources in that VPC; resources in other VPCs that are peered or accessible via Transit Gateway; and by resources that are on premises connected by VPN or Direct Connect. Gateway endpoints are only accessible by resources within the VPC that they are created in (there is an edge case here - create a proxy in that VPC but even then the traffic appears to come from the proxy so it still holds).

Interface endpoints have a charge associated with them; Gateway endpoints do not. In general, using Gateway endpoints is a better thing because cost but it does depend on your use case.

Most endpoints can be used for pretty much any purpose you like with a couple of exceptions. Access points (for example) can be used to further restrict access to specific buckets so calls outside that scope will fail. VPC endpoints can only be used to access S3 resources in the same region as the VPC itself. Website endpoints are a little different again; and website access isn't supported via Interface endpoints.

Hope this answers your questions.

profile picture
EXPERT
answered 8 months ago
  • Thank you. This answer in for the general VPC endpoints. I'm looking for particular information about the two different VPC Endpoints for S3 which was explained by Eunsu_Shin.

0

To add to the answers above

S3 Interface Endpoint and Gateway Endpoints - when to use which type https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3

Examples for S3 Interface Endpoint and Gateway Endpoint for Single VPC and Multi-VPC https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions