Accessing S3 using S3 Interface VPC Endpoint and Route 53 Private Hosted Zone

Accessing S3 using S3 Interface VPC Endpoint and Route 53 Private Hosted Zone

Takahiro Iwasa
Takahiro Iwasa
2 min read
Route 53 VPC Endpoints

S3 offers not only the gateway VPC endpoint but also the interface VPC endpoint.

AWS PrivateLink for Amazon S3 - Amazon Simple Storage Service
docs.aws.amazon.com docs.aws.amazon.com

AWS PrivateLink for Amazon S3 - Amazon Simple Storage Service

Connect to Amazon S3 by using AWS PrivateLink interface VPC endpoints in your virtual private cloud (VPC).

The S3 interface VPC endpoint requires specifying the --endpoint-url option, and you cannot access the default S3 endpoint (your-region.s3.amazonaws.com). To use the default endpoint, Route 53 private hosted zones can be used.

Working with private hosted zones - Amazon Route 53
docs.aws.amazon.com docs.aws.amazon.com

Working with private hosted zones - Amazon Route 53

Create, list, and delete private hosted zones using the Route 53 console.

Overview

This post provides instructions for accessing S3 from an EC2 instance placed within a private subnet.

S3 VPC Endpoint

Accessing S3 without VPC Endpoint

Run the following command to confirm that you cannot access S3 without the S3 VPC endpoint.

$ aws s3 ls --region $YOUR_REGION --cli-read-timeout 1 --cli-connect-timeout 1

Connect timeout on endpoint URL: "https://s3.ap-northeast-1.amazonaws.com/"

Creating S3 Interface VPC Endpoint

Run the following command to create an S3 interface VPC endpoint.

$ aws ec2 create-vpc-endpoint \
  --vpc-id $YOUR_VPC_ID \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.$YOUR_REGION.s3 \
  --subnet-ids $YOUR_PRIVATE_SUBNET_IDS \
  --security-group-ids $YOUR_SECURITY_GROUP_IDS

$ aws ec2 describe-vpc-endpoints \
  --filters Name=service-name,Values=com.amazonaws.$YOUR_REGION.s3 \
  --query "VpcEndpoints[*].DnsEntries"
[
    [
        {
            "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com",
            "HostedZoneId": "xxxxxxxxxxxxxx"
        },
        {
            "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx-ap-northeast-1a.s3.ap-northeast-1.vpce.amazonaws.com",
            "HostedZoneId": "xxxxxxxxxxxxxx"
        }
    ]
]

Accessing S3 with VPC Endpoint

Run the following command to confirm that you can access S3 with the S3 VPC endpoint.

$ aws s3 ls \
  --region <YOUR_REGION> \
  --endpoint-url http://vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com
2022-11-26 06:28:36 sample-bucket-of-s3-through-private-network

Route 53 Private Hosted Zone

Creating Route 53 Private Hosted Zone

Run the following command to create a Route 53 private hosted zone.

$ aws route53 create-hosted-zone \
  --name s3.$YOUR_REGION.amazonaws.com \
  --vpc VPCRegion=$YOUR_REGION,VPCId=$YOUR_VPC_ID \
  --caller-reference "$(date)"

Adding DNS Record

Add an A (ALIAS) record according to the following instructions.

Click Create record.

Choose A at Record type and specify Alias to VPC endpoint at Route traffic to.

Accessing S3 without —endpoint-url

Run the following command to confirm that you can access S3 without the --endpoint-url option.

aws s3 ls --region ap-northeast-1
2022-11-26 06:28:36 sample-bucket-of-s3-through-private-network

Conclusion

An example of a use case for using the interface type instead of the gateway type is when you have an on-premises environment connected to your VPC and you want to connect from the on-premises environment to S3.

I hope you will find this post useful.

Takahiro Iwasa

Takahiro Iwasa

Software Developer at KAKEHASHI Inc.
Involved in the requirements definition, design, and development of cloud-native applications using AWS. Now, building a new prescription data collection platform at KAKEHASHI Inc. Japan AWS Top Engineers 2020-2023.