As I continue learning AWS networking, I've realized that some of the most interesting lessons come from asking simple questions.
This project started with one of those questions.
Imagine you're designing a backup solution for a company. The backup server runs on an EC2 instance inside a private subnet because security policies don't allow direct internet access. The server still needs to store backup files in Amazon S3.
How would you make that happen?
The first answer many people think of is a NAT Gateway. After all, the instance needs to communicate with Amazon S3 somehow.
But I wanted to know whether there was a more secure and cost-effective approach.
So I decided to build the solution myself using Terraform.
The infrastructure was fairly simple. I created a VPC, a private subnet, a route table, an Amazon S3 bucket, an IAM Role, and an EC2 instance running entirely in a private subnet. The instance had no public IP address and no direct path to the internet.
For permissions, I attached an IAM Role to the EC2 instance using an Instance Profile instead of storing AWS access keys on the server. This allowed the instance to securely interact with Amazon S3 using temporary credentials managed by AWS.
At this point, I had a private EC2 instance that needed to upload files to Amazon S3. The problem was obvious.
Without internet access, how could it reach S3?
That question led me to Amazon S3 Gateway VPC Endpoints.
A Gateway VPC Endpoint creates a private connection between resources inside a VPC and supported AWS services such as Amazon S3. Instead of routing traffic through the public internet, AWS keeps the communication within its own private network.
This was exactly what I needed.
After creating the Gateway VPC Endpoint and associating it with the private route table, the route table automatically knew how to direct Amazon S3 traffic through the endpoint.
Of course, creating infrastructure is one thing. Proving that it works is another.
To test the solution, I added a User Data script to the EC2 instance. When the instance launched, it automatically created a small text file and attempted to upload it to the S3 bucket.
The idea was simple. If the file appeared in the bucket, then the connection was working.
After Terraform finished deploying the environment, I checked the outputs to verify that the resources had been created successfully.
Next, I verified that the EC2 instance was running inside the private subnet and, more importantly, that it did not have a public IP address.
Then came the moment of truth.
I opened the S3 bucket and checked its contents.
There it was.
The file had been uploaded successfully.
What made this result interesting was not the file itself. It was how the file got there.
The EC2 instance had no public IP address.
There was no Internet Gateway.
There was no NAT Gateway.
The only available path to Amazon S3 was through the Gateway VPC Endpoint associated with the route table.
In other words, the traffic never needed to leave the AWS network.
That was the key lesson from this project.
Before building it, I understood VPC Endpoints as a concept. After building it, I finally understood the problem they solve.
They're not just another AWS networking feature. They're a practical way to improve security, reduce costs, and simplify architectures whenever private workloads need access to services like Amazon S3.
This project also reinforced several AWS concepts for me, including private subnet design, route table associations, IAM Roles, Instance Profiles, and Infrastructure as Code with Terraform.
Most importantly, it reminded me that good cloud architecture is often about finding the simplest secure path rather than adding more infrastructure.
If you're learning AWS networking, I highly recommend building this yourself. Reading about Gateway VPC Endpoints is helpful, but watching a private EC2 instance successfully upload a file to Amazon S3 without internet access makes the concept stick in a completely different way.
If you'd like to explore the Terraform code, architecture diagram, or reproduce the project yourself, you can find everything in my GitHub repository:
GitHub Repository: https://github.com/Naomiansah/secure-s3-vpc-endpoint-project
Have you used Gateway VPC Endpoints in production, or would you choose a different approach for this scenario? I'd love to hear your thoughts.
Top comments (0)