VPC Interface Endpoint vs VPC Gateway Endpoint: Understanding the Key Differences — Part3
What is the real benefit of using Amazon VPC endpoint?
Can you save money and improve security with VPC endpoint?
In part 1 of this series, it has been mentioned the differences between Interface endpoint and Gateway endpoint, and how to access public AWS services through a private connection securely.
VPC Gateway Endpoint Use-Case
AWS Gateway endpoints provide reliable connectivity to S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.
Unlike Interface endpoints, Gateway endpoints do not use AWS PrivateLink.
Instead, it adds entries to the route tables, directing traffic to S3 or DynamoDb through the VPC Endpoint.
Then we can keep the instances in private subnets and still communicate to the s3 API.
When routing traffic to S3 via NAT Gateway, for instance, you have to pay for all the bytes that transfer through the NAT Gateway.
You are also leaving Amazon’s network and re-entering, which adds latency.
You will see how to access a S3 bucket from a private EC2 instance. In other words, there will be no Internet Gateway or NAT device for your VPC.
How You Will Do It
In this demo, you will use a private EC2 instance that you’re going to connect to, and this VPC has no public internet connectivity.
You will connect to this EC2 instance through EC2 Instance Connect Endpoint.
If you don’t know how to connect on an EC2 using Instance Connect Endpoint, you can look at PARTE2 of this VPC Endpoint series, and learn how to setup an interface endpoint to connect to a private EC2 instance.
One common way to use S3 is to store data in it from an EC2 instance or a container running in ECS.
This allows you to access your data from anywhere in the world, and it can be used to store a variety of data types, such as images, videos, and documents.
Now, it will be demonstrated how to access a file on a S3 bucket from an EC2 instance without having any internet access.
When you create a Gateway endpoint, you need to specify route tables and when you do that, a prefix list is added to the route table for these subnets which allow the VPC router to direct traffic towards the gateway endpoint.
The routes are added to the prefix list automatically by AWS when you create the Gateway Endpoint and associate it to particular subnets.
This is how the VPC router knows to route any traffic from instances inside this private-only VPC to the Gateway Endpoint object and then out to the S3 service.
Pre Requisites
To run this demo, I will use the setup below:
- A VPC with NO Internet Gateway attached.
- An S3 bucket already created.
- An EC2 instance connected to a private subnet with no public access.
- An Interface Endpoint setup complete to connect to a private EC2 instance.
Let’s See How It Works
Open the S3 console, and click the Bucket you’re going to use for this demo.
I created a random bucket and it is called test-bucket-lne9jwfrk2zt.
You’re going to attach a file to your bucket. It can be any file.
Click Upload.
Click Add files, to attach your file. Then click Upload.
When the upload’s finished, click Close.
Now, open the EC2 console.
You can see the EC2 instance I’m using for this demo has no public IP address.
Right-click the private EC2 instance you will use for this demo, and click Connect.
Select Connect using EC2 Instance Connect Endpoint, click the EC2 Instance Connect Endpoint search box, and select the endpoint you created.
Then click Connect.
As I mentioned previously, in part2 of this VPC Endpoint series, I show how to set up Interface Endpoint to connect to a private EC2 instance.
You can verify that this EC2 instance has no internet connectivity by trying to ping the IP address 1.1.1.1, and you will see it times out.
You can also verify connectivity to AWS services by running the command below to list the S3 buckets.
Note when you run that, it just hangs.
There is no connectivity with AWS public services because you have no access to any of the public space endpoints.
Press Ctrl + C to cancel out of that.
You’re going to create a Gateway endpoint that will allow you to access the S3 buckets.
Go back to the VPC console. On the left menu, click Endpoints.
Click Create endpoint.
Give it a name. I chose the name tag PrivateVPCS3.
In the Service category, keep AWS services.
In the filter Services box, type S3, then click com.amazonaws.us-west-1.s3.
I set up my environment on us-west-1 region. Depending on the region you’re working with, it can show you a different one for you.
Check the box next to Gateway. Then select your VPC.
Select the route table which is associated with the subnet you’re working on this demo.
Scroll down and click Create endpoint.
When the endpoint gateway shows created, refresh it and make sure the state is showing available.
Now click Route tables on the left menu.
Select the route table associated with the gateway endpoint you just created, then click Routes.
You will see the prefix list created for the S3 service in the current region.
Open EC2 console, and go back to the open terminal running your EC2 instance.
You will try now to access the S3 services after the gateway endpoint is created.
If you run the command below, it should list all buckets in your AWS account. I’m going to add “|grep test-bucket” at the end, I want to show only the bucket used for this demo.
aws s3 ls
Now you can try to save to this EC2 instance the file previously uploaded to the bucket, using the command below.
Make sure you replace the bucket and file name.
aws s3 cp s3://<your_bucket_name>/<file_attached_to_your_bucket> .
Then you see the file using the command ls -l.
You just have implemented a Gateway Endpoint and, by doing that you’ve allowed this private VPC to be able to access a public space endpoint, the S3 service, and specifically this S3 bucket.
Hope it helped you!