How to use a VPC interface endpoint (for service S3) only for S3 buckets from *my* AWS Organization, and a NAT gateway for s3 buckets *outside* of my AWS organization


Is it possible to use a VPC interface endpoint (for service S3) only for S3 buckets from my AWS Organization, and a NAT gateway for s3 buckets outside of my AWS organization?

Current thoughts about setup:


  • While creating the VPC endpoint, I could specify a policy to restrict access to only the S3 buckets within my AWS organization
  • S3 buckets outside my AWS organization would be denied from the endpoint's policy

Assumed Issue:
How will this work for s3 buckets outside my AWS organization?

  • Would the requester first try to establish a connection via the VPC interface endpoint, get a deny from the restricted policy, and then connect to the s3 bucket via the NAT gateway? From network point of view, my understanding is that the requester would get the VPC endpoint IPs resolved via PHZ, try to connect and get a deny from the policy. Then the requester will get a timeout / error, but no NAT gatway will be used.

Request for help:
How can I enhance above setup that the NAT gateway will be used for s3 buckets *outside *my AWS organization?

2 Answers
Accepted Answer

Hello, based on the notes in the question, I am assuming that outside your AWS Organization as in your on-premises or other AWS accounts.

If its on-premises, S3 bucket endpoint URLs are internet accesible, and you would be able to directly access S3 buckets without needing NAT Gateway.

If its other AWS accounts, I would suggest using S3 Gateway VPC endpoint in the respective accounts and update the route table to point to S3 prefix list of that region as destination.

answered a month ago
profile picture
reviewed a month ago
  • Hi, Thanks. I indeed mean in other AWS accounts. The S3 gateway endpoint unfortunately is no option, because it uses the Public Endpoint of the AWS service, means the traffic is routed via Public Internet. In addition, AWS S3 Gateway endpoints cannot be shared cross Accounts. "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3."

  • Regarding first observation, I don't know if it meets your requirement. However, please note that traffic remains in AWS network in both Gateway/Interface S3 endpoints, with Gateway VPCe using S3 public IP addresses.

    Regarding second observation, I think it meant you cannot extend out of a VPC where the other side is a VPN, VPC peering, transit gateway, or AWS Direct Connect connection. The reason I think this works is below article.

    The repo buckets are owned by Amazon, but customer AWS accounts would be able to access them with S3 Gateway VPCe.

  • Your comment really made me think about it again: Both, S3 Gateway Endpoint AND S3 Interface Endpoint stay on AWS internal network. Awesome.

    Looking at S3 gateway endpoint: This can be used from a private subnet, that means, you do not assign a Public IP nor do you need an Internet Gateway in order to connect to S3 buckets. In fact, you CANNOT connect to S3 buckets outside of your AWS account / AWS organization - I just tested it via simple curl from a test-VM. You will get a timeout.

    For all S3 buckets outside of your AWS account / AWS organization one can use a NAT gateway. One need to deploy an S3 gateway endpoint in each AWS account (instead of a centralized solution) with a central NAT gateway connected via TGW. This way the traffic between internal buckets and external are split.

    As the traffic for S3 gateway endpoint stays within AWS network, this is exactly the solution which will work for us. Thanks for the input, psp!


Yes, it is possible to configure your setup so that the VPC endpoint is used only for S3 buckets within your AWS organization, while a NAT gateway is used for external S3 buckets.

The key is to configure the route tables properly. The route table for the subnet(s) containing the VPC endpoint should have a route pointing to the VPC endpoint for the S3 prefix. The main route table (used by subnets without a custom route table) should point to the NAT gateway for the S3 prefix.

With this setup:

  • Requests to internal S3 buckets will route to the VPC endpoint and succeed if allowed by the endpoint policy

  • Requests to external S3 buckets will route to the NAT gateway and get translated to the Internet

  • Requests to internal buckets that are denied by the endpoint policy will fail/timeout rather than falling back to the NAT gateway

Please configure as per below steps:

  • Configure VPC endpoint route table to route S3 traffic to the endpoint

  • Configure main route table to route S3 traffic to the NAT gateway

  • Lock down endpoint policy to allow only internal S3

This will force internal vs external bucket traffic to take the desired paths.

Here is a good AWS doc that provide more details:

AWS Blog - Controlling access to VPC endpoints with VPC endpoint policies:

answered a month ago
profile picture
reviewed a month ago
  • I am afraid, but I cannot see this working.

    1. A route table can only be assigned to one subnet.
    2. When I have a separate subnet for VPCE with separate routing, then I will not have a route table entry for my NAT gateway. On the other hand, when the requester sits within a subnet with your called Default route table, then there will be no route table entry for VPCE.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions