This is a simple handson task to understand VPC endpoint.
So, let’s begin with the necessity of a VPC end point and what it is exactly.
VPC endpoint is an AWS resource that helps us access public resources like S3, dynamoDB etc. securely via AWS network, instead of going via internet. Coming to why we would need that, there may be resources in AWS that are not exposed to internet; like an EC2 instance in a private subnet without having access to the internet. In such cases accessing the public resources is not possible. And thus was born ‘VPC endpoint’!!! =)
Now that we know what a VPC end point is, let’s quickly get started with a handson activity.
Please setup a VPC with a public and private subnet and launch an EC2 instance in both. You can refer to this lab for steps on creating the VPC, subnets, internet gateway and route tables-https://amazon.qwiklabs.com/focuses/15788?catalog_rank=%7B%22rank%22%3A2%2C%22num_filters%22%3A0%2C%22has_search%22%3Atrue%7D&parent=catalog&search_id=8612122
Our setup should look like this:-
Now, attach an IAM role to both the EC2 instances that gives read only access to S3
SSH to the public EC2 and observe that we are able to access s3:
It works for the public EC2. Now let’s ssh into the private EC2 from the public EC2 and try accessing S3 again.
As seen above, both S3 and google.com (internet) is not accessible
Let’s create a VPC endpoint
Choose your VPC and private subnet
Now let’s try accessing s3 from the EC2 instance in private subnet
Observe that we are able to list the s3 buckets, but not able to ping google.com
This is because now we can reach the S3 endpoint via VPC endpoint.
Whereas we do not have any route defined to the internet yet.
That’s it guys! A simple exercise on VPC endpoints! :)
Hope you liked it.