DEV Community

Steve Pe
Steve Pe

Posted on

Private Access to S3 Data from two AWS regions

What is AWS Private Link?

AWS Private Link provides private connection between VPCs, AWS services, and your on-premises networks, without exposing your traffic to public internet.

  • Network traffic that use AWS Private Link doesn't travel the public interent

  • Reduce exposure to attacks

  • Regulatory compliance

  • Hybrid cloud

  • Cost saving

On this blog I am setting up two VPCs in two AWS regions ( Ohio, US and Tokyo, Japan) with two different CIDRs range and use VPC endpoint for Amazon S3 to access the data.

VPC endpoints for Amazon S3 simplify access to S3 from within a VPC by providing configurable and highly reliable secure connections to S3 that does not require and Internet Gateway(IGW) or/& Network Address Translation (NAT) device. When you create a S3 VPC endpoint, you can attach an endpoint policy to it that controls access to Amazon S3.

Step 1: Create a VPC in the Ohio Region:

  • In the AWS console go to VPC, select Ohio region and create VPC named as Ohio-VPC with CiDR of 10.10.0.0/16

Image description

  • Create 4 subnets in the Ohio-VPC. 2 public subnets and 2 private subnets.
    Image description

  • No Internet Gateway (IGW) nor NAT Gateway in this Ohio-VPC.

Step 2: Create a VPC in Tokyo Region:

  • Go to Tokyo region and create the VPC named Tokyo-VPC with CIDR of 10.20.0.0/16.
    Image description

  • Create 4 subnets in the Tokyo-VPC. 2 public subnets and 2 private subnets.
    Image description

  • No Internet Gateway (IGW) nor NAT Gateway in this Tokyo-VPC.

Step 3: Create S3 bucket in the Ohio, Region:

In the AWS Console, go to the S3 service and create a bucket in the Ohio region. Image description

Step 4: Create Interface endpoint in the Ohio region:

  • In the VPC console, in the left panel, click on Endpoint under Virtual Private Cloud and it will appear Endpoints console.
    Image description

  • In the Endpoints console, click on Create Endpoint and new screen will pop asking to give it a name and select AWS Service for wihi we want to create endpoint. As we are creating for S3, we will filter with S3 service and you will get available endpoints for S3 which includes gateway and interface endpoints. S3 outposts and access point interface are available and we will choose S3 interface endpoint.
    Image description

  • Choose right VPC with private subnets you created earlier. Create new security group with no inbound with default outbound.
    Image description

  • S3 interface endpoint is created and its available. Grab the DNS name and we would replace * with below appropriate valuses:
    Image description

  • Example of S3 bucket: bucket.vpce-xxxxxxxxxx1a295b3-zshjrg35.s3.us-east-2.vpce.amazonaws.com

Step 5: VPC Peering between Ohio-VPC and Tokyo-VPC

  • Create VPC peering between Ohio and Tokyo VPCs, accept the peering connection at acceptor VPC and add the routes of other VPC CIDR in the route tables.
    Image description

  • Then accept the Peering Connection at Tokyo VPC

  • Add a route in the route table with destination as the VPC CIDR of peered VPC and target as peering connection.

    Image description

Step 6: Create EC2 instance in the Ohio Region:

  • Create an EC2 instance in the private subnet in the Ohio region and attach necessary roles (SSM and S3)
    Image description

  • Connect private EC2 instance at Ohio region using SSM and list S3 buck

  • Use S3 interface endpoint which we created earlier and run below command
    (Sample: aws s3 --region us-east-2 --endpoint-url https://bucket.vpce-xxxxxxxxxxxxxxxxx-zshjrg35.s3.us-east-2.vpce.amazonaws.com ls s3://{Your Bucket at Ohio}/
    Image description

Step 7: Create EC2 instance in the Tokyo Region:

  • Create an EC2 instance in the private subnet in the Tokyo region and attach necessary roles (SSM and S3)
    Image description

  • Connect private EC2 instance at Tokyo region using SSM and list S3 buck at Ohio region

  • Use S3 interface endpoint which we created earlier and run below command
    (Sample: aws s3 --region us-east-2 --endpoint-url https://bucket.vpce-xxxxxxxxxxxxxxxxx-zshjrg35.s3.us-east-2.vpce.amazonaws.com ls s3://{Your Bucket at Ohio}/
    Image description

Conclusion:
S3 Interface endpoint helps us to access S3 buckets privately and we can access cross region S3 buckets privately if VPC peering is enabled between the VPCs.

Top comments (0)