By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CFN - Advice for adding an S3 endpoint to private subnets for fargate task access

0

Hi, I have been banging my head trying to get this working and cannot figure it out.

I have an ECS fargate cluster in 2 private subnets. There are 2 public subnets with NatGWs (needed for the tasks running in Fargate). Currently I have S3 traffic going through the NatGWs and I would like to implement an S3 endpoint as "best practice". I have created CFN scripts to create the endpoint and associated security group. All resources are created and appear to be working. However I can see from the logs that traffic for s3 is still going through the NatGWs. Is there something basic that I have missed? Is there a way to force the traffic from the tasks to the S3 endpoints?

The fargate task security group has the following egress:

      SecurityGroupEgress:
        - IpProtocol: "-1"
          CidrIp: 0.0.0.0/0

Here is the script that creates the enpoint and SG:

  endpointS3SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security group for S3 endpoint"
      GroupName: "S3-endpoint-sg"
      Tags:
        - Key: "Name"
          Value: "S3-endpoint-sg"
      VpcId: !Ref vpc
      SecurityGroupIngress:
        - IpProtocol: "tcp"
          FromPort: 443
          ToPort: 443
          SourceSecurityGroupId: !Ref fargateContainerSecurityGroup

  # S3 endpoint
  endpointS3:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action: 's3:*'
            Resource: '*'
      SubnetIds:
        - !Ref privateSubnet1
        - !Ref privateSubnet2
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref endpointS3SecurityGroup
      ServiceName:
        Fn::Sub: "com.amazonaws.${AWS::Region}.s3"
      VpcId: !Ref vpc

Thanks in advance.

Regards, Don.

Topics
StorageNetworking & Content DeliveryServerlessContainersAWS Well-Architected Framework
Tags
Amazon Simple Storage ServiceAmazon VPCAWS FargateSecuritySecurity Group
Language
English
Don
asked a year ago336 views
3 Answers
1
Accepted Answer

Interesting! I didn't know about that S3 limitation but I see it's mentioned in https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html: "To create an interface endpoint for Amazon S3, you must clear Additional settings, Enable DNS name. This is because Amazon S3 does not support private DNS for interface VPC endpoints."

I've used Interface endpoints for lots of services but not S3, as I've always stuck with the free Gateway endpoints for that as you've now done.

EXPERT
skinsman
answered a year ago
  • Don
    a year ago

    Thanks skinsman. I think I got confused with the documentation and should have started with the Gateway rather that Application endpoint.

0

In AWS::EC2::VPCEndpoint you need to set PrivateDnsEnabled: true to enable the default AWS_managed Private Hosted Zone (PHZ) that will cause DNS resolution of the S3 service endpoint to go to your private IP address (for the VPCEndpoint) instead of the service's standard public IP address.

The other alternative is to manage your own PHZ (AWS::Route53::HostedZone) which is what you need to do if you're sharing the interface endpoint across VPCs. See https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ for example.

EXPERT
skinsman
answered a year ago
  • Don
    a year ago

    Hi skinsman, thanks for the quick response. Unfortunatley PrivateDNSEnabled is not available for s3 interface endpoints. I get the following error from CFN when building the stack with it set to true:

    Private DNS can't be enabled because the service com.amazonaws.eu-west-1.s3 does not provide a private DNS name.

    Regards, Don.

0

I converted the endpoint to Gateway and now it all works as expected. Thanks to skinsman for giving me the strength to go back into the documentation.

Here is the updated CFN script for those of you who come across the same issue:

  # S3 endpoint security group
  endpointS3SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "Security group for S3 endpoint"
      GroupName: !Sub "inclus-s3-endpoint-sg"
      Tags:
        - Key: "Name"
          Value: !Sub "inclus-s3-endpoint-sg"
      VpcId: !Ref vpc
      SecurityGroupIngress:
        - IpProtocol: "tcp"
          FromPort: 443
          ToPort: 443
          SourceSecurityGroupId: !Ref fargateContainerSecurityGroup

  # S3 endpoint
  endpointS3:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action: 's3:*'
            Resource: '*'
      RouteTableIds:
        - !Ref privateRouteTable1
        - !Ref privateRouteTable2
      VpcEndpointType: Gateway
      ServiceName:
        !Sub "com.amazonaws.${AWS::Region}.s3"
      VpcId: !Ref vpc
Don
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content