“Challenges faced to find the solution of how to access the s3 bucket in a private server”. I have found the way by creating the vpc gateway endpoint for s3. In terms of cost and security perspective, it is free of charge and also can be secured using policy.
A VPC endpoint enables connections between a virtual private cloud (VPC) and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, you control the specific API endpoints, sites, and services that are reachable from your VPC.
VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. The following are the different types of VPC endpoints. You create the type of VPC endpoint that’s required by the supported service - Interface endpoints, Gateway Load Balancer endpoints and Gateway endpoints.
In this post, you will get to know how to access the s3 bucket in a private server using vpc gateway endpoint. Here I have used two ec2 servers, a s3 bucket and IAM user with required permissions.
Prerequisites
You’ll need an Amazon EC2 Server for this post. Getting started with amazon EC2 provides instructions on how to launch an EC2 Server.
You’ll need an Amazon Simple Storage Service for this post. Getting started with Amazon Simple Storage Service provides instructions on how to create a bucket in simple storage service. For this blog, I assume that I have created a s3 bucket and have two ec2 servers.
Architecture Overview
The architecture diagram shows the overall deployment architecture with data flow, vpc gateway endpoints, ec2 server and s3 bucket.
Solution overview
The blog post consists of the following phases:
- Create IAM User with required Permission. Check S3 bucket access from public server and private server
- Create VPC Endpoint Gateway for S3. Check of S3 access from a private server
I have one public server and one private server. Also have a s3 bucket created as below →
Phase 1: Create IAM User with required Permission. Check S3 bucket access from public server and private server
- Open the IAM console, create a user named test with programmatic access. Also having full s3 access permission in user. In the bucket, created a folder and uploaded a file. Checked the s3 bucket access from the public server using aws cli. And getting the s3 bucket data from it using aws s3 ls command. Also checked with a private server for access of s3 bucket data but unable to do it and having errors.
Phase 2: Create VPC Endpoint Gateway for S3. Check of S3 access from a private server
- Open the VPC console, choose the endpoints option and create an endpoint. In endpoint settings, give name as ec2-to-s3-access-endpoint and choose aws service as s3 gateway type and route table. After creation of the endpoint, check the route table configuration where you can find the endpoint route propagating automatically. Also now I am able to access the s3 bucket from a private server.
Clean-up
Delete EC2 server, IAM, S3 bucket, VPC Endpoint.
Pricing
I review the pricing and estimated cost of this example.
Cost of VPC Gateway Endpoint = $0.0
Cost of Simple Storage Service = $1.35
Cost of EC2 = $0.0124 per On Demand Linux t2.micro Instance Hour = 1.884 Hrs = $0.02
Total Cost = $(0.0+1.35+0.02) = $1.37
Summary
In this post, I showed “how to access the s3 bucket in a private server using vpc gateway endpoint”.
For more details on VPC Gateway Endpoint, Checkout Get started VPC Endpoints, open the VPC console. To learn more, read the VPC documentation.
Thanks for reading!
Connect with me: Linkedin
Top comments (3)
Great work @bhatnagargargee 🙌 🙌
ThankYou Soo Much 😀
Thanks for sharing. Just one note though, that if your VPC has a NAT and internet gateway (eg to allow your EC2 instance to query github, etc), then the test you used does not prove the endpoint is being used. You would have to use traceroute or other strategy (see eg serverfault.com/a/989663).