VPC Endpoint for Amazon S3: Simple Connectivity From AWS

Let’s discuss VPC Endpoint’s value, common use cases, and how to get it up and running with the AWS CLI.

Last month Amazon Web Services introduced VPC Endpoint for Amazon S3. In this article, I am going to explain exactly what this means, how it will change – and improve – the way AWS resources communicate with each other, and how you can get it running with the AWS CLI.

Not that it’s quite complete yet, mind you:

Currently, we support endpoints for connections with Amazon S3 within the same region only. We’ll add support for other AWS services later.

Accessing S3 the old way (without VPC Endpoint)

Traditionally, when creating a VPC with a private subnet you would set up security groups and access control lists (ACLs) to control inbound and outbound traffic. Because this is a private subnet, by default it has no access to any outside public resources. Consequently, should you need access to an outside resource, you would need to set up an Internet Gateway and route traffic through a NAT instance.

So, for example, if your EC2 instance runs an application that needs access to a file stored in an S3 bucket, before VPC Endpoint, this illustrates the only way it could be done:

VPC Endpoint: A private subnet with the main route table set up
A private subnet with the main route table set up

Accessing S3 with VPC Endpoint

Now, however, accessing S3 resources from within a private VPC subnet is much simpler. There’s no longer any need to configure a gateway or NAT instances. And as an added bonus, these endpoints are easy to set up, highly reliable, and provide a secure connection to S3.

VPC Endpoint for Amazon S3
With VPC Endpoint for Amazon S3, accessing buckets is a much simpler process

If you’d prefer to work with the console to create a VPC Endpoint, you can easily follow the clear directions from the official AWS Blog. However, I am going to show you how to do it using the AWS CLI.  (By the way, Cloud Academy has a great course guiding you through the AWS CLI if you could use some help).

Creating and Using VPC Endpoints with the AWS CLI

When we create our VPC endpoint we will use the following commands

  1. describe-route-tables (Get our VPC Id and route table for the endpoint)
  2. create-vpc-endpoint (Create your VPC endpoint)
  3. describe-vpc-endpoints (List your VPC endpoint)
  4. delete-vpc-endpoints (Delete a VPC endpoint)

So first, get our VPC ID and route table ID to use for the endpoint

$ aws ec2 describe-route-tables

Your output should look something like this:

--------------------------------------------------------------------------------------------------------
|                                          DescribeRouteTables                                         |
+------------------------------------------------------------------------------------------------------+
||                                             RouteTables                                            ||
|+-------------------------------------------------+--------------------------------------------------+|
||  RouteTableId                                   |  rtb-0404a561                                    ||
||  VpcId                                          |  vpc-731e0711                                    ||
|+-------------------------------------------------+--------------------------------------------------+|
|||                                           Associations                                           |||
||+------------------------------------------------------+-------------------------------------------+||
|||  Main                                                |  False                                    |||
|||  RouteTableAssociationId                             |  rtbassoc-a4339dc1                        |||
|||  RouteTableId                                        |  rtb-0404a561                             |||
|||  SubnetId                                            |  subnet-fcbb5b99                          |||
||+------------------------------------------------------+-------------------------------------------+||
|||                                              Routes                                              |||
||+-----------------------------------------------------+--------------------------------------------+||
|||  DestinationCidrBlock                               |  172.31.0.0/16                             |||
|||  GatewayId                                          |  local                                     |||
|||  Origin                                             |  CreateRouteTable                          |||
|||  State                                              |  active                                    |||
||+-----------------------------------------------------+--------------------------------------------+||
|||                                               Tags                                               |||
||+---------------------------------+----------------------------------------------------------------+||
|||  Key                            |  Name                                                          |||
|||  Value                          |  endpointroute                                                 |||
||+---------------------------------+----------------------------------------------------------------+||
||                                             RouteTables                                            ||
|+-------------------------------------------------+--------------------------------------------------+|
||  RouteTableId                                   |  rtb-b1849cd3                                    ||
||  VpcId                                          |  vpc-731e0711                                    ||
|+-------------------------------------------------+--------------------------------------------------+|
|||                                           Associations                                           |||
||+------------------------------------------------------+-------------------------------------------+||
|||  Main                                                |  True                                     |||
|||  RouteTableAssociationId                             |  rtbassoc-9f0f14fd                        |||
|||  RouteTableId                                        |  rtb-b1849cd3                             |||
||+------------------------------------------------------+-------------------------------------------+||
|||                                              Routes                                              |||
||+----------------------+---------------------------+----------------+-------------------+----------+||
||| DestinationCidrBlock |  DestinationPrefixListId  |   GatewayId    |      Origin       |  State   |||
||+----------------------+---------------------------+----------------+-------------------+----------+||
|||  172.31.0.0/16       |                           |  local         |  CreateRouteTable |  active  |||
|||  0.0.0.0/0           |                           |  igw-1b312779  |  CreateRoute      |  active  |||
|||                      |  pl-6ca54005              |  vpce-d7b652be |  CreateRoute      |  active  |||
||+----------------------+---------------------------+----------------+-------------------+----------+||

This tells me that my VPC ID is vpc-731e0711, and my Route Table Id  (the one connected to a subnet) is rtb-0404a561.
Now let’s create a VPC endpoint. Remember that AWS currently supports endpoints within a single region, so we should note that my default region is ap-southeast-2.

$ aws ec2 create-vpc-endpoint --vpc-id vpc-731e0711 --service-name com.amazonaws.ap-southeast-2.s3 --route-table-ids rtb-0404a561

Here’s my output:

-------------------------------------------------------------------------------------------------------------------------------------------
|                                                            CreateVpcEndpoint                                                            |
+-----------------------------------------------------------------------------------------------------------------------------------------+
||                                                              VpcEndpoint                                                              ||
|+-------------------+-------------------------------------------------------------------------------------------------------------------+|
||  CreationTimestamp|  2015-06-04T02:45:52Z                                                                                             ||
||  PolicyDocument   |  {"Version":"2008-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":"*","Action":"*","Resource":"*"}]}   ||
||  ServiceName      |  com.amazonaws.ap-southeast-2.s3                                                                                  ||
||  State            |  available                                                                                                        ||
||  VpcEndpointId    |  vpce-97b652fe                                                                                                    ||
||  VpcId            |  vpc-731e0711                                                                                                     ||
|+-------------------+-------------------------------------------------------------------------------------------------------------------+|
|||                                                            RouteTableIds                                                            |||
||+-------------------------------------------------------------------------------------------------------------------------------------+||
|||  rtb-0404a561                                                                                                                       |||
||+-------------------------------------------------------------------------------------------------------------------------------------+||

You should now have a VpcEndpoint connecting your VPC to an Amazon S3 service in the region you chose. You can now list your VpcEndpoint and the output should be similar to what you got above – unless you created more than one VpcEndpoint:

$ aws ec2 describe-vpc-endpoints

Finally, if you don’t plan on using this again, you can delete the VpcEndpoint using the following:

$ aws ec2 delete-vpc-endpoints --vpc-endpoint-ids vpce-97b652fe

What does all this now mean?

Even once you create a VPC Endpoint, the S3 public endpoints and DNS names will continue to work as they always have. All that the EndPoint does is add a new way by which the requests are routed from your private subnet to S3. Remember also that endpoints are virtual devices: they are horizontally scaled, redundant, and highly available VPC components that allow low-risk communication between instances in your VPC and AWS services.

What an endpoint effectively does is enable instances in your VPC to use their private IP addresses to communicate with resources in other services. Consequently, your instances do not require public IP addresses, and you do not need an Internet Gateway, a NAT instance, or a virtual private gateway in your VPC. This is because you use endpoint policies to control access to resources in other services. Traffic between your VPC and the AWS service does not leave the Amazon network.

Best of all, there is no additional charge for using endpoints. You will, of course, be charged standard charges for data transfer and resource use.

Avatar

Written by

Michael Sheehy

I have been UNIX/Linux System Administrator for the past 15 years and am slowly moving those skills into the AWS Cloud arena. I am passionate about AWS and Cloud Technologies and the exciting future that it promises to bring.


Related Posts

Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— June 19, 2020

Kickstart Your Tech Training With a Free Week on Cloud Academy

Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill?Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Rebecca Willis
Rebecca Willis
— June 3, 2020

Azure vs. AWS: Which Certification Provides the Brighter Future?

More and more companies are using cloud services, prompting more and more people to switch their current IT position to something cloud-related. The problem is most people only have that much time after work to learn new technologies, and there are plenty of cloud services that you can ...

Read more
  • AWS
  • Azure
  • certification
Alisha Reyes
Alisha Reyes
— June 2, 2020

Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More

Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Alisha Reyes
Alisha Reyes
— May 11, 2020

New Content: Alibaba, Azure Cert Prep: AI-100, AZ-104, AZ-204 & AZ-400, Amazon Athena Playground, Google Cloud Developer Challenge, and much more

This month, our Content Team released 8 new learning paths, 4 courses, 7 labs in real cloud environments, and 4 new knowledge check assessments. Not only that, but we introduced our very first course on Alibaba Cloud, and our expert instructors are working 'round the clock to create 6 n...

Read more
  • alibaba
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Avatar
Rhonda Martinez
— May 4, 2020

Top 5 Reasons to Get AWS Certified Right Now

Cloud computing trends are on the rise and have been for some time already. Fortunately, it’s never too late to start learning cloud computing. Skills like AWS and others associated with cloud computing are in high demand because cloud technologies have become crucial for many businesse...

Read more
  • Amazon Elastic Book Store
  • Amazon Elastic Compute Cloud (EC2)
  • AWS
  • AWS Certifications
  • Glacier
Alisha Reyes
Alisha Reyes
— May 1, 2020

Introducing Our Newest Lab Environments: Lab Playgrounds

Want to train in a real cloud environment, but feel slowed down by spinning up your own deployments? When you consider security or pricing costs, it can be costly and challenging to get up to speed quickly for self-training. To solve this problem, Cloud Academy created a new suite of la...

Read more
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Java
  • lab playgrounds
  • Python
Alisha Reyes
Alisha Reyes
— April 30, 2020

Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More

  New articles by topicAWS Azure Data Science Google Cloud  Cloud Adoption Platform Updates & New Content Security Women in TechAWSBreaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Stuart Scott
— April 27, 2020

AWS Certified Solutions Architect Associate: A Study Guide

Want to take a really impactful step in your technical career? Explore the AWS Solutions Architect Associate certificate. Its new version (SAA-C02) was released on March 23, 2020, though you can still take SAA-C01 through July 1, 2020. This post will focus on version SAA-C02.The AWS...

Read more
  • AWS
  • AWS Certifications
  • AWS Certified Solutions Architect Associate
Alisha Reyes
Alisha Reyes
— April 9, 2020

New on Cloud Academy: AWS Solutions Architect Exam Prep, Azure Courses, GCP Engineer Exam Prep, Programming, and More

Free content on Cloud Academy More and more customers are relying on our technology and content to keep upskilling their people in these months, and we are doing our best to keep supporting them. While the world fights the COVID-19 pandemic, we wanted to make a small contribution to he...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • programming
Joe Nemer
Joe Nemer
— April 3, 2020

Breaking News: All AWS Certification Exams Now Available Online

Remote proctoring for all AWS certifications Cloud Academy is an Advanced AWS Technology Partner, and we are happy to announce all AWS certification exams are available online!  What does this mean for you? You can stay focused on your certification goal. Or you can start a certifica...

Read more
  • AWS
  • AWS certification
  • AWS Certifications