- Newest
- Most votes
- Most comments
Interesting! I didn't know about that S3 limitation but I see it's mentioned in https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html: "To create an interface endpoint for Amazon S3, you must clear Additional settings, Enable DNS name. This is because Amazon S3 does not support private DNS for interface VPC endpoints."
I've used Interface endpoints for lots of services but not S3, as I've always stuck with the free Gateway endpoints for that as you've now done.
In AWS::EC2::VPCEndpoint you need to set PrivateDnsEnabled: true to enable the default AWS_managed Private Hosted Zone (PHZ) that will cause DNS resolution of the S3 service endpoint to go to your private IP address (for the VPCEndpoint) instead of the service's standard public IP address.
The other alternative is to manage your own PHZ (AWS::Route53::HostedZone) which is what you need to do if you're sharing the interface endpoint across VPCs. See https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ for example.
Hi skinsman, thanks for the quick response. Unfortunatley
PrivateDNSEnabled
is not available for s3 interface endpoints. I get the following error from CFN when building the stack with it set to true:Private DNS can't be enabled because the service com.amazonaws.eu-west-1.s3 does not provide a private DNS name.
Regards, Don.
I converted the endpoint to Gateway and now it all works as expected. Thanks to skinsman for giving me the strength to go back into the documentation.
Here is the updated CFN script for those of you who come across the same issue:
# S3 endpoint security group
endpointS3SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "Security group for S3 endpoint"
GroupName: !Sub "inclus-s3-endpoint-sg"
Tags:
- Key: "Name"
Value: !Sub "inclus-s3-endpoint-sg"
VpcId: !Ref vpc
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 443
ToPort: 443
SourceSecurityGroupId: !Ref fargateContainerSecurityGroup
# S3 endpoint
endpointS3:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action: 's3:*'
Resource: '*'
RouteTableIds:
- !Ref privateRouteTable1
- !Ref privateRouteTable2
VpcEndpointType: Gateway
ServiceName:
!Sub "com.amazonaws.${AWS::Region}.s3"
VpcId: !Ref vpc
Relevant content
- asked 3 months ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated a day ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks skinsman. I think I got confused with the documentation and should have started with the Gateway rather that Application endpoint.