Introducing Today's Project!
What is Amazon VPC?
Amazon VPC is a secure, customizable network within AWS that lets you control how resources like EC2 and S3 communicate. Itʼs useful because it enables private, direct connections like using VPC endpoints to avoid the public internet and reduce cost.
How I used Amazon VPC in this project
I used Amazon VPC in today's project to create a secure network that connects my EC2 instance directly to S3 using a VPC endpoint, avoiding the public internet.
One thing I didn't expect in this project
One thing I didnʼt expect in this project was that even with the VPC endpoint set up, my EC2 instance couldnʼt access S3 until I updated the route table correctly.
This project took me about an hour to complete. I spent that time setting up a custom VPC, launching an EC2 instance, creating a VPC endpoint, and securing access to S3 using policies.
In the first part of my project
Step 1 - Architecture set up
I'm creating a VPC, launching an EC2 instance, and setting up an S3 bucket to build a secure network that avoids public internet exposure.
Step 2 - Connect to EC2 instance
I'm connecting directly to my EC2 instance to enable terminal access for AWS CLI testing.
Step 3 - Set up access keys
I'm giving my EC2 instance access to AWS by creating access keys, so it can securely run CLI commands and use S3 services.
Step 4 - Interact with S3 bucket
Iʼm heading back to my EC2 instance to test if it can access my S3 bucket using AWS CLI. This confirms that the credentials are working correctly.
Architecture set up
I started my project by launching a custom VPC and also set up an EC2 instance inside my VPC to set up a secure, private AWS network environment.
I also set up an S3 bucket to enable secure object storage and prepare for testing connectivity within my AWS network architecture.
Access keys
Credentials
To set up my EC2 instance to interact with my AWS environment, I configured a custom VPC, launched an EC2 instance, created an S3 bucket for storage, and applied access keys to enable CLI-based interaction between the instance and S3.
Access keys are credentials (Access Key ID + Secret Key) that let EC2 or apps securely access AWS services like S3 without user login.
Secret access keys are like passwords used with access key IDs to securely connect apps like EC2 to AWS services such as S3 via CLI or SDK.
Best practice
Although I'm using access keys in this project, a best practice alternative is to use IAM roles for secure, automated access without stored credentials.
Connecting to my S3 bucket
The command I ran was 'aws s3 ls' This command is used to list accessible S3 buckets from EC2.
The terminal responded with a list of my S3 buckets, showing that the access keys were successfully configured and my EC2 instance could securely connect using AWS CLI.
I also tested the command 'aws s3 ls s3://maven-vpc-endpoints-s3', which returned the files in my bucket. This confirmed my EC2 instance could access S3 before private networking.
Uploading objects to S3
To upload a new file to my bucket, I first ran the command 'sudo touch /tmp/newdoc.txt'. This command creates an empty text file for upload.
The second command I ran was 'aws s3 cp /tmp/newdoc.txt s3://maven-vpc endpoints-s3'. This command will upload the file to my S3 bucket.
The third command I ran was 'aws s3 ls s3://maven-vpc-endpoints-s3', which validated that the EC2 instance could list files in the S3 bucket.
In the second part of my project
Step 5 - Set up a Gateway
I'm setting up a VPC endpoint so my VPC can talk to S3 directly. This boosts security by avoiding the public internet and makes my network faster and cheaper.
Step 6 - Bucket policies
I'm about to restrict my S3 bucket so only traffic from my VPC endpoint can access it, blocking all public access and securing my data.
Step 7 - Update route tables
In this step, I'm testing my VPC endpoint setup by accessing my S3 bucket from my EC2 instance. If access is denied, Iʼll troubleshoot the route table.
Step 8 - Validate endpoint conection
In this step, Iʼm testing my VPC endpoint setup to confirm private S3 access, then applying a bucket policy to restrict access so only my VPC can reach the bucket securely.
Setting up a Gateway
I set up an S3 Gateway, which is a VPC endpoint that lets my VPC access S3 privately boosting security by avoiding the public internet.
What are endpoints?
An endpoint is a private gateway that lets your VPC connect securely to AWS services like S3, no public internet needed.
Bucket policies
A bucket policy is an S3 security rule that restricts access to your bucket, allowing only traffic you allow for safer, private connections.
My bucket policy will block all access to my S3 bucket except traffic coming through my VPC endpoint, ensuring ultra-secure, private communication.
After saving my bucket policy, my S3 bucket page showed 'denied access' warnings.
This was because the policy blocks all public access unless traffic comes through my VPC endpoint. The AWS Console uses the internet, so it gets denied.
I also had to update my route table because my EC2 instance was still routing S3 traffic through the public internet instead of the VPC endpoint.
Route table updates
To update my route table, I added a route that directs S3 traffic from my subnet to the VPC endpoint, ensuring private access and avoiding the public internet.
After updating my public subnet's route table, my terminal could return the list of S3 bucket objects via 'aws s3 ls s3://maven-vpc-endpoints-s3', confirming private access through the VPC endpoint.
Endpoint policies
An endpoint policy is a set of rules that controls which AWS services and resources your VPC can access through a VPC endpoint.
I updated my endpoint's policy by changing the "Effect" from "Allow" to "Deny" in the JSON. I could see the effect of this right away, because my EC2 instance was blocked from accessing the S3 bucket.
🤝 This is the final in this networking series. Watch out for the 7 Day DevOps Challenge!
Top comments (0)