VPC Endpoint for Amazon S3: simple connectivity from AWS


Lets discuss VPC Endpoint’s value, common use cases, and how to get it up and running with the AWS CLI.

Last month Amazon Web Services introduced VPC Endpoint for Amazon S3. In this article I am going to explain exactly what this means, how it will change – and improve – the way AWS resources communicate with each other, and how you can get it running with the AWS CLI.
Not that it’s quite complete yet, mind you:

Currently, we support endpoints for connections with Amazon S3 within the same region only. We’ll add support for other AWS services later.

Accessing S3 the old way (without VPC Endpoint)

Traditionally, when creating a VPC with a private subnet you would set up security groups and access control lists (ACLs) to control inbound and outbound traffic. Because this is a private subnet, by default it has no access to any outside public resources. Consequently, should  you need access to an outside resource, you would need to set up an Internet Gateway and route traffic through a NAT instance.
So, for example, if your EC2 instance runs an application that needs access to a file stored in an S3 bucket, before VPC Endpoint, this illustrates the only way it could be done:

vpc endpoint
A private subnet with the main route table set up

Accessing S3 with VPC Endpoint 

Now, however, accessing S3 resources from within a private VPC subnet is much simpler. There’s no longer any need to configure a gateway or NAT instances. And as an added bonus, these endpoints are easy to set up, highly reliable, and provide a secure connection to S3.

VPC Endpoint
With VPC Endpoint for Amazon S3, accessing buckets is a much simpler process

If you’d prefer to work with the console to to create a VPC Endpoint, you can easily follow the clear directions from the official AWS Blog.However, I am going to show you how to do it using the AWS CLI.  (By the way, Cloud Academy has a great course guiding you through the AWS CLI if you could use some help).

Creating and Using VPC Endpoints with the AWS CLI

When we create our VPC endpoint we will use the following commands

  1. describe-route-tables (Get our VPC Id and route table for the endpoint)
  2. create-vpc-endpoint (Create your VPC endpoint)
  3. describe-vpc-endpoints (List your VPC endpoint)
  4. delete-vpc-endpoints (Delete a VPC endpoint)

So first, get our VPC ID and route table ID to use for the endpoint

$ aws ec2 describe-route-tables

Your output should look something like this:

--------------------------------------------------------------------------------------------------------
|                                          DescribeRouteTables                                         |
+------------------------------------------------------------------------------------------------------+
||                                             RouteTables                                            ||
|+-------------------------------------------------+--------------------------------------------------+|
||  RouteTableId                                   |  rtb-0404a561                                    ||
||  VpcId                                          |  vpc-731e0711                                    ||
|+-------------------------------------------------+--------------------------------------------------+|
|||                                           Associations                                           |||
||+------------------------------------------------------+-------------------------------------------+||
|||  Main                                                |  False                                    |||
|||  RouteTableAssociationId                             |  rtbassoc-a4339dc1                        |||
|||  RouteTableId                                        |  rtb-0404a561                             |||
|||  SubnetId                                            |  subnet-fcbb5b99                          |||
||+------------------------------------------------------+-------------------------------------------+||
|||                                              Routes                                              |||
||+-----------------------------------------------------+--------------------------------------------+||
|||  DestinationCidrBlock                               |  172.31.0.0/16                             |||
|||  GatewayId                                          |  local                                     |||
|||  Origin                                             |  CreateRouteTable                          |||
|||  State                                              |  active                                    |||
||+-----------------------------------------------------+--------------------------------------------+||
|||                                               Tags                                               |||
||+---------------------------------+----------------------------------------------------------------+||
|||  Key                            |  Name                                                          |||
|||  Value                          |  endpointroute                                                 |||
||+---------------------------------+----------------------------------------------------------------+||
||                                             RouteTables                                            ||
|+-------------------------------------------------+--------------------------------------------------+|
||  RouteTableId                                   |  rtb-b1849cd3                                    ||
||  VpcId                                          |  vpc-731e0711                                    ||
|+-------------------------------------------------+--------------------------------------------------+|
|||                                           Associations                                           |||
||+------------------------------------------------------+-------------------------------------------+||
|||  Main                                                |  True                                     |||
|||  RouteTableAssociationId                             |  rtbassoc-9f0f14fd                        |||
|||  RouteTableId                                        |  rtb-b1849cd3                             |||
||+------------------------------------------------------+-------------------------------------------+||
|||                                              Routes                                              |||
||+----------------------+---------------------------+----------------+-------------------+----------+||
||| DestinationCidrBlock |  DestinationPrefixListId  |   GatewayId    |      Origin       |  State   |||
||+----------------------+---------------------------+----------------+-------------------+----------+||
|||  172.31.0.0/16       |                           |  local         |  CreateRouteTable |  active  |||
|||  0.0.0.0/0           |                           |  igw-1b312779  |  CreateRoute      |  active  |||
|||                      |  pl-6ca54005              |  vpce-d7b652be |  CreateRoute      |  active  |||
||+----------------------+---------------------------+----------------+-------------------+----------+||

This tells me that my VPC ID is vpc-731e0711, and my Route Table Id  (the one connected to a subnet) is rtb-0404a561.
Now let’s create a VPC endpoint. Remember that AWS currently supports endpoints within a single region, so we should note that my default region is  ap-southeast-2.

$ aws ec2 create-vpc-endpoint --vpc-id vpc-731e0711 --service-name com.amazonaws.ap-southeast-2.s3 --route-table-ids rtb-0404a561

Here’s my output:

-------------------------------------------------------------------------------------------------------------------------------------------
|                                                            CreateVpcEndpoint                                                            |
+-----------------------------------------------------------------------------------------------------------------------------------------+
||                                                              VpcEndpoint                                                              ||
|+-------------------+-------------------------------------------------------------------------------------------------------------------+|
||  CreationTimestamp|  2015-06-04T02:45:52Z                                                                                             ||
||  PolicyDocument   |  {"Version":"2008-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":"*","Action":"*","Resource":"*"}]}   ||
||  ServiceName      |  com.amazonaws.ap-southeast-2.s3                                                                                  ||
||  State            |  available                                                                                                        ||
||  VpcEndpointId    |  vpce-97b652fe                                                                                                    ||
||  VpcId            |  vpc-731e0711                                                                                                     ||
|+-------------------+-------------------------------------------------------------------------------------------------------------------+|
|||                                                            RouteTableIds                                                            |||
||+-------------------------------------------------------------------------------------------------------------------------------------+||
|||  rtb-0404a561                                                                                                                       |||
||+-------------------------------------------------------------------------------------------------------------------------------------+||

You should now have a VpcEndpoint connecting your VPC to an Amazon S3 service in the region you chose. You can now list your VpcEndpoint and the output should be the similar to what you got above – unless you created more than one VpcEndpoint:

$ aws ec2 describe-vpc-endpoints

Finally, if you don’t plan on using this again, you can delete the VpcEndpoint using the following:

$ aws ec2 delete-vpc-endpoints --vpc-endpoint-ids vpce-97b652fe

What does all this now mean?
Even once you create a VPC Endpoint, the S3 public endpoints and DNS names will continue to work as they always have. All that the EndPoint does is add a new way by which the requests are routed from your private subnet to S3. Remember also that endpoints are virtual devices: they are horizontally scaled, redundant, and highly available VPC components that allow low-risk communication between instances in your VPC and AWS services.
What an endpoint effectively does is enable instances in your VPC to use their private IP addresses to communicate with resources in other services. Consequently, your instances do not require public IP addresses, and you do not need an Internet Gateway, a NAT instance, or a virtual private gateway in your VPC. This is because you use endpoint policies to control access to resources in other services. Traffic between your VPC and the AWS service does not leave the Amazon network.
Best of all, there is no additional charge for using endpoints. You will, of course, be charged standard charges for data transfer and resource use.

Written by

I have been UNIX/Linux System Administrator for the past 15 years and am slowly moving those skills into the AWS Cloud arena. I am passionate about AWS and Cloud Technologies and the exciting future that it promises to bring.

Related Posts

— November 26, 2018

New Amazon S3 Features Announced at re:Invent

In true AWS style, a number of new features and services were announced yesterday, the day before the official start of re:Invent.Three of these announcements were related to Amazon S3 which included: S3 Intelligent Tiering (A new storage class) Batch Operations for Object M...

Read more
  • Amazon S3
  • Amazon Web Services
  • re:Invent 2018
  • S3
— November 10, 2018

S3 FTP: Build a Reliable and Inexpensive FTP Server Using Amazon’s S3

Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...

Read more
  • Amazon S3
  • AWS
— September 26, 2018

How to Optimize Amazon S3 Performance

Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...

Read more
  • Amazon S3
  • AWS
— February 13, 2018

Cloud Academy Sketches: Encryption in S3

Some of 2017’s largest data breaches involved unprotected Amazon Simple Storage (S3) buckets that left millions of customer data records exposed to the public. The problem wasn’t the technology, but administrators who improperly configured the security settings.For cloud teams in char...

Read more
  • Amazon S3
  • AWS
— January 3, 2018

How to Diagnose Cancer with Amazon Machine Learning

A common question in the medical field is:Is it possible to distinguish one class of samples from another, based on some set of measurements?Research investigating this and related medical questions have spurred innovation in medicine and the application of statistical methods and m...

Read more
  • Amazon S3
  • AWS
— November 30, 2017

AWS re:Invent 2017 Day 3. Amazon Rekognition Video Enables Object and Face Recognition

From the 22 new features released by AWS today at re:invent 2017, Amazon Rekognition Video stood out to me as the interesting “quiet achiever” I want to tell you about.Amazon Rekognition Video brings object and facial recognition to live and on-demand video content. With this innovati...

Read more
  • Amazon S3
  • AWS
  • reInvent17
— August 10, 2017

Using Amazon Athena to query S3 data for CloudTrail logs

Who is Athena again? Athena is the Greek goddess of wisdom, craft, and war. (But at least she had a calm temperament, and only fought for a just cause!) This post is about Amazon Athena and about using Amazon Athena to query S3 data for CloudTrail logs, however, and I trust it will brin...

Read more
  • Amazon Athena
  • Amazon S3
  • AWS
  • CloudTrail
— April 7, 2016

A Crash Course in Amazon Serverless Architecture: Discover the Power of Amazon API Gateway, Lambda, CloudFront, and S3

New expanded content showing all three AWS Serverless posts in one article. This is a detailed look at the components of AWS Serverless Architecture and how anyone can make the most of it. Because of the complexity of the subject, this post has been subdivided into 3 sections, each with...

Read more
  • Amazon S3
  • AWS
— February 2, 2016

Amazon S3 Security: master S3 bucket polices and ACLs

Learn about Bucket Policies and ways of  implementing Access Control Lists (ACLs) to restrict/open your Amazon S3 buckets and objects to the Public and other AWS users.Follow along and learn ways of ensuring the public only access for your S3 Bucket Origin via a valid CloudFront reques...

Read more
  • Amazon S3
  • AWS
— September 11, 2015

Riak CS: a cloud storage solution compatible with Amazon S3

Riak CS is an open source cloud storage technology compatible with Amazon S3 and Openstack Swift. Discover why more and more companies are using it.Riak CS may not be the best known cloud storage technology right now, but it's definitely worthy of our attention. This post isn't meant ...

Read more
  • Amazon S3
  • AWS
— February 17, 2015

Amazon S3 vs Amazon Glacier: A Simple Backup Strategy In The Cloud

Amazon S3 vs Amazon Glacier: which AWS storage tool should you use?When you set out to design your first AWS (Amazon Web Services) hosted application, you will need to consider the possibility of data loss.While you may have designed a highly resilient and durable solution, this w...

Read more
  • Amazon S3
  • AWS
— September 9, 2014

New lab: Create your first Amazon S3 bucket

One of the most amazing things I see here in CloudAcademy is the number of feedback we get from our members, who send lots of emails daily to tell us how good CloudAcademy.com is for them to learn Cloud, what we should improve, and what new content they would like to see soon. In fact, ...

Read more
  • Amazon S3
  • AWS