AWS VPC Gateway Endpoints
A VPC Endpoint allows you to connect the VPC to your AWS services without the help of an Internet Gateway, NAT device, VPN or a AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with AWS service, instead it uses VPC Endpoint for that. Let us see one scenario where VPC Endpoint is useful. Assume that you decided some of your EC2 instances are to be in a private Subnet. This removes all connectivity from EC2 instance to the internet or AWS services. You know that it is not a ideal scenario as you expect the private instance to download security patches and updates. Then you setup a NAT device so that whole channel for internetbound communication (including to AWS service) is via this NAT device. So an EC2 private instance access an S3 bucket incurs NAT device charges. This is where an VPC endpoints comes into picture. It makes sure that traffic between your VPC and the particular AWS service is via VPC endpoints and does not leave the Amazon network. VPC Endpoint is cheaper compared to NAT Gateway.
Gateway Endpoints
There are two types of VPC endpoints: Interface Endpoints and Gateway Endpoints. Here we focus on Gateway Endpoints. A Gateway Endpoint is a gateway in your route table that is a target to a specified route for the required AWS service . The following AWS services are supported:
- Amazon S3
- DynamoDB
VPC Endpoint Experiment
It is assumed that S3 buckets are created. Name of the various AWS resources like Network/IP address etc. are arbitrary and you have the freedom to choose your own. Experiment involves following steps.
- Create VPC and Public/ Private subnets
- Create Instances in Private Subnet
- IAM Role S3Read access from EC2
- Create VPC Endpoints
- Test the Configuration
Create VPC and Public/Private Subnets: I have created a VPC with CIDR 10.0.0.0/6. Two Subnets(10.0.1.0/24 and 10.0.2.0/24) are created like below. 10.0.1.0/24 is public and attached to a Internet Gateway. 10.0.2.0/24 is private and doesn’t have route to internet.
Create Instance in Private Subnet: Create two EC2 instances, one in public Subnet and the other in the private Subnet. SSH to both instances and make sure that you can access both.
IAM Role S3Read access from EC2: Access IAM service and create IAM Role which has S3Read access from EC2 service. Attach this IAM Role to the private EC2 instance.
Create VPC Endpoint: Search for the VPC services in AWS web console. In the left pane select Endpoints. Click Create Endpoint.
When the window opens, fill the options like below. Select your VPC. Make sure that you have selected private Subnet in the list below.
Once Endpoint is created and it looks like below
Wait for a few seconds and verify routing table is updated automatically, and points the traffic to S3 via this Endpoint. Your setup is ready now.
Testing the Configuration:
Do an AWS CLI client configuration like below, if required. Login to the private EC2 instance and try to access s3 bucket like below. You can access the S3 bucket even when communication to internet is not possible from the private EC2 instance.
Disclaimer: This experiment is accomplished in test environment. You are requested to verify your setup thoroughly before you implement in a production environment.
