Does traffic between Amazon EC2 and Amazon S3 really go over the internet?

1

A VPC endpoint is often recommended to avoid traffic going over the internet. However, if resources such as Amazon EC2 and Amazon S3 communicate with each other in the same AWS Region, does the traffic really go across the internet? Or does it stay within AWS Global Backbone or an Edge networking location? If the latter, is there any supporting documentation available?

asked 4 years ago4596 views
2 Answers
2
Accepted Answer

No, even if your AWS resources communicate with each other in the same AWS Region, the network traffic doesn't go over the internet. However, you do need to use resources such as a NAT Gateway (which incurs additional costs), and an internet gateway (IGW) to make VPC go over the internet. Even traffic between two AWS Regions (such as from your Amazon EC2 instance with a public IP address to an S3 bucket in another commercial Region) will go over AWS Global Backbone. From Building a Scalable and Secure Multi-VPC AWS Network Infrastructure whitepaper:

All network traffic between regions is encrypted, stays on the AWS global network backbone, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.

To avoid using an IGW, consider using a VPC endpoint.

profile pictureAWS
EXPERT
answered 4 years ago
profile pictureAWS
EXPERT
reviewed 2 years ago
1

See also the Amazon VPC FAQ, which states:

Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?

No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.

In addition, all data flowing across the AWS global network that interconnects our data centers and Regions is automatically encrypted at the physical layer before it leaves our secured facilities. Additional encryption layers exist as well; for example, all VPC cross-region peering traffic, and customer or service-to-service Transport Layer Security (TLS) connections.

profile pictureAWS
EXPERT
answered 2 years ago
profile pictureAWS
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions