Enhancing S3 Access with Interface VPC Endpoint and Route 53 Private Hosted Zone
Introduction
Amazon S3 provides not only the gateway VPC endpoint but also the interface VPC endpoint to enhance private connectivity. This post explains how to set up and use the interface VPC endpoint alongside Route 53 private hosted zones to access S3 from a private subnet.
The S3 interface VPC endpoint requires specifying the --endpoint-url option when accessing S3. However, to simplify access and avoid specifying this option repeatedly, Route 53 private hosted zones can be used. This guide outlines the step-by-step process.
S3 VPC Endpoint
Accessing S3 Without a VPC Endpoint
Attempting to access S3 from a private subnet without a VPC endpoint results in connectivity errors:
$ aws s3 ls --region $YOUR_REGION --cli-read-timeout 1 --cli-connect-timeout 1
Connect timeout on endpoint URL: "https://s3.ap-northeast-1.amazonaws.com/"
Creating an S3 Interface VPC Endpoint
To enable S3 access, create an interface VPC endpoint with the following command:
aws ec2 create-vpc-endpoint \
--vpc-id $YOUR_VPC_ID \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.$YOUR_REGION.s3 \
--subnet-ids $YOUR_PRIVATE_SUBNET_IDS \
--security-group-ids $YOUR_SECURITY_GROUP_IDS
Verify the creation of the endpoint and retrieve its DNS entries:
aws ec2 describe-vpc-endpoints \
--filters Name=service-name,Values=com.amazonaws.$YOUR_REGION.s3 \
--query "VpcEndpoints[*].DnsEntries"
[
[
{
"DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "xxxxxxxxxxxxxx"
},
{
"DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx-ap-northeast-1a.s3.ap-northeast-1.vpce.amazonaws.com",
"HostedZoneId": "xxxxxxxxxxxxxx"
}
]
]
Accessing S3 With a VPC Endpoint
Confirm S3 access using the VPC endpoint’s URL:
aws s3 ls \
--region <YOUR_REGION> \
--endpoint-url http://vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com
--region option must be specified.
Route 53 Private Hosted Zone
Creating a Route 53 Private Hosted Zone
To simplify S3 access, create a Route 53 private hosted zone with the following command:
aws route53 create-hosted-zone \
--name s3.$YOUR_REGION.amazonaws.com \
--vpc VPCRegion=$YOUR_REGION,VPCId=$YOUR_VPC_ID \
--caller-reference "$(date)"
Adding a DNS Record
Add an A (ALIAS) record pointing to the VPC endpoint using the Route 53 console:
- Click
Create record.
- Select
Aas the record type and chooseAlias to VPC endpointas the routing target.
Accessing S3 Without the --endpoint-url Option
After configuring the hosted zone, you can access S3 without specifying the --endpoint-url option:
aws s3 ls --region ap-northeast-1
--region option must be specified.
Conclusion
Using the interface VPC endpoint is beneficial in scenarios where an on-premises environment is connected to your VPC. This configuration enables secure S3 access directly from on-premises networks.
By combining the S3 interface VPC endpoint with Route 53 private hosted zones, you can simplify and secure S3 access in private environments. This setup is especially valuable for hybrid cloud architectures.
Happy Coding! 🚀
