How do I check if my Amazon S3 traffic is going through a gateway VPC endpoint or an interface VPC endpoint?

4 minutos de lectura
2

I want to check if my Amazon Simple Storage Service (Amazon S3) traffic is going through a gateway Amazon Virtual Private Cloud (Amazon VPC) endpoint or an interface Amazon VPC endpoint.

Resolution

To check if your Amazon S3 traffic is going through a gateway endpoint or an interface endpoint, complete the following steps.

Check traffic flow over a gateway Amazon VPC endpoint

To check traffic flow over a gateway Amazon VPC endpoint, take the following actions:

  • Use a TCP-based traceroute
  • Configure Amazon S3 server access logging

Use a TCP-based traceroute

Note: In the following commands, replace example-region-code with your AWS Region.

To use a TCP-based traceroute, run the following commands:

For HTTP:

sudo traceroute -T -p 80 <s3.example-region-code.amazonaws.com>

For HTTPS:

sudo traceroute -T -p 443 <s3.example-region-code.amazonaws.com>

Example output without gateway endpoint:

traceroute -T -p 443 s3.us-west-2.amazonaws.com 
traceroute to s3.us-west-2.amazonaws.com (52.218.205.128), 30 hops max, 60 byte packets
1 * * ec2-52-15-0-55.us-east-2.compute.amazonaws.com (52.15.0.55) 0.720 ms
2 100.65.27.64 (100.65.27.64) 3.904 ms * 100.65.26.160 (100.65.26.160) 2.538 ms
3 100.66.12.238 (100.66.12.238) 5.841 ms 100.66.12.244 (100.66.12.244) 1.624 ms 100.66.13.84 (100.66.13.84) 1.618 ms
4 100.66.14.132 (100.66.14.132) 12.056 ms 100.66.15.198 (100.66.15.198) 22.155 ms 100.66.15.72 (100.66.15.72) 36.160 ms
5 241.0.12.73 (241.0.12.73) 0.333 ms 241.0.12.70 (241.0.12.70) 0.318 ms 241.0.12.77 (241.0.12.77) 0.298 ms
6 108.166.252.46 (108.166.252.46) 1.244 ms 108.166.248.33 (108.166.248.33) 0.909 ms 108.166.252.46 (108.166.252.46) 1.153 ms
7 52.95.2.153 (52.95.2.153) 1.616 ms 52.95.2.151 (52.95.2.151) 1.175 ms 52.93.239.48 (52.93.239.48) 0.899 ms
8 100.92.37.93 (100.92.37.93) 53.817 ms 100.92.31.89 (100.92.31.89) 50.767 ms 100.92.37.43 (100.92.37.43) 54.258 ms
9 100.100.2.87 (100.100.2.87) 49.736 ms 100.100.2.57 (100.100.2.57) 48.820 ms 100.100.2.73 (100.100.2.73) 51.058 ms
10 100.100.88.66 (100.100.88.66) 49.888 ms 100.100.88.194 (100.100.88.194) 48.951 ms 100.100.85.66 (100.100.85.66) 49.416 ms
11 100.100.77.71 (100.100.77.71) 48.986 ms 100.100.68.7 (100.100.68.7) 50.073 ms 100.100.82.7 (100.100.82.7) 95.565 ms
12 100.100.6.110 (100.100.6.110) 55.784 ms 100.100.6.88 (100.100.6.88) 51.155 ms 100.100.6.52 (100.100.6.52) 62.262 ms
13 100.95.1.132 (100.95.1.132) 48.900 ms 100.95.1.140 (100.95.1.140) 50.982 ms 100.95.1.130 (100.95.1.130) 50.822 ms
14 242.0.30.128 (242.0.30.128) 50.907 ms 108.166.232.46 (108.166.232.46) 50.847 ms 100.95.17.134 (100.95.17.134) 50.577 ms
15 108.166.232.54 (108.166.232.54) 50.321 ms 108.166.232.50 (108.166.232.50) 49.407 ms 108.166.232.59 (108.166.232.59) 50.893 ms
16 108.166.232.63 (108.166.232.63) 48.257 ms 108.166.232.49 (108.166.232.49) 50.261 ms 50.365 ms
17 241.0.1.142 (241.0.1.142) 49.940 ms 49.451 ms 241.0.1.140 (241.0.1.140) 51.448 ms
18 100.66.3.145 (100.66.3.145) 65.740 ms * 100.66.3.137 (100.66.3.137) 68.843 ms
19 100.66.1.143 (100.66.1.143) 67.227 ms 100.66.1.131 (100.66.1.131) 67.074 ms 100.66.1.253 (100.66.1.253) 73.648 ms
20 100.65.7.33 (100.65.7.33) 67.465 ms 68.900 ms 100.65.7.161 (100.65.7.161) 67.558 ms
21 s3-us-west-2.amazonaws.com (52.218.205.128) 49.616 ms 51.496 ms 50.240 ms

Note: Traffic flow over the internet has similar traceroute results as traffic flow without a gateway endpoint.

Example output with gateway endpoint:

traceroute to -T -p 443 s3.us-east-2.amazonaws.com, 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 s3.us-east-2.amazonaws.com 0.432 ms 0.449 ms *

Note: For traceroute outputs that have a gateway endpoint, only the last hop is visible. Also, traceroute results are similar for port 80 and port 443.

Configure Amazon S3 server access logging

To identify the source of the request, turn on Amazon S3 server access logging.

Check traffic flow over an interface Amazon VPC endpoint

To check traffic flow over an interface Amazon VPC endpoint, take the following actions:

  • Check the IP address of the source resource that connects to Amazon S3 to confirm the traffic flow through the Amazon S3 endpoint. When you set up an interface Amazon VPC endpoint, an elastic network interface with a private IP address is deployed in the subnet. This allows resources within the Amazon VPC to communicate with an Amazon S3 bucket.
  • Use Amazon CloudWatch to monitor your Amazon VPC endpoint use. Metrics such as ActiveConnections and BytesProcessed provide information on endpoint usage. For more information, see Endpoint metrics and dimensions.
  • Check if Private DNS is turned on for the Amazon S3 endpoint. If PrivateDNS is turned on, then Amazon S3 endpoints handle traffic to the Amazon S3 Regional endpoint.

Related information

How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?

Why can't I connect to an S3 bucket using a gateway VPC endpoint?

Access an AWS service using an interface VPC endpoint

OFICIAL DE AWS
OFICIAL DE AWSActualizada hace 6 meses