Accessing S3 using S3 Interface VPC Endpoint and Route 53 Private Hosted Zone

Accessing S3 using S3 Interface VPC Endpoint and Route 53 Private Hosted Zone

Takahiro Iwasa
(岩佐 孝浩)
Takahiro Iwasa (岩佐 孝浩)
2 min read
Route 53 VPC Endpoints

S3 offers not only the gateway VPC endpoint but also the interface VPC endpoint.

The S3 interface VPC endpoint requires specifying the --endpoint-url option, and you cannot access the default S3 endpoint (your-region.s3.amazonaws.com). To use the default endpoint, Route 53 private hosted zones can be used.

Overview

This post provides instructions for accessing S3 from an EC2 instance placed within a private subnet.

S3 VPC Endpoint

Accessing S3 without VPC Endpoint

Run the following command to confirm that you cannot access S3 without the S3 VPC endpoint.

$ aws s3 ls --region $YOUR_REGION --cli-read-timeout 1 --cli-connect-timeout 1

Connect timeout on endpoint URL: "https://s3.ap-northeast-1.amazonaws.com/"

Creating S3 Interface VPC Endpoint

Run the following command to create an S3 interface VPC endpoint.

$ aws ec2 create-vpc-endpoint \
  --vpc-id $YOUR_VPC_ID \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.$YOUR_REGION.s3 \
  --subnet-ids $YOUR_PRIVATE_SUBNET_IDS \
  --security-group-ids $YOUR_SECURITY_GROUP_IDS

$ aws ec2 describe-vpc-endpoints \
  --filters Name=service-name,Values=com.amazonaws.$YOUR_REGION.s3 \
  --query "VpcEndpoints[*].DnsEntries"
[
    [
        {
            "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com",
            "HostedZoneId": "xxxxxxxxxxxxxx"
        },
        {
            "DnsName": "*.vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx-ap-northeast-1a.s3.ap-northeast-1.vpce.amazonaws.com",
            "HostedZoneId": "xxxxxxxxxxxxxx"
        }
    ]
]

Accessing S3 with VPC Endpoint

Run the following command to confirm that you can access S3 with the S3 VPC endpoint.

$ aws s3 ls \
  --region <YOUR_REGION> \
  --endpoint-url http://vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.s3.ap-northeast-1.vpce.amazonaws.com
2022-11-26 06:28:36 sample-bucket-of-s3-through-private-network

Route 53 Private Hosted Zone

Creating Route 53 Private Hosted Zone

Run the following command to create a Route 53 private hosted zone.

$ aws route53 create-hosted-zone \
  --name s3.$YOUR_REGION.amazonaws.com \
  --vpc VPCRegion=$YOUR_REGION,VPCId=$YOUR_VPC_ID \
  --caller-reference "$(date)"

Adding DNS Record

Add an A (ALIAS) record according to the following instructions.

Click Create record.

Choose A at Record type and specify Alias to VPC endpoint at Route traffic to.

Accessing S3 without —endpoint-url

Run the following command to confirm that you can access S3 without the --endpoint-url option.

aws s3 ls --region ap-northeast-1
2022-11-26 06:28:36 sample-bucket-of-s3-through-private-network
Takahiro Iwasa
(岩佐 孝浩)

Takahiro Iwasa (岩佐 孝浩)

Software Developer at iret, Inc.
Architecting and developing cloud native applications mainly with AWS. Japan AWS Top Engineers 2020-2023