Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Assign a private IP to S3 bucket

0

Hello, what I'm trying to achieve is to access S3 from on-prem over our DX to S3. I've created a virtual gateway gateway in the remote aws account (not the owner of DX), but neither VPC interface nore gateway endpoints had an option for me to set anIP for S3. am I on the right way?: On-prem applications need to access S3 and not over the public internet.

Thanks!

Topics
Networking & Content DeliveryStorage
Tags
Amazon S3 Access GrantsAWS Direct Connect
Language
English
asked 10 months ago513 views
2 Answers
6

Access over Direct Connect to S3 can be done in a few ways: 1/ using a public IP address; or 2/ via a private IP address using a VPC interface endpoint. However, use of gateway endpoint isn't supported and won't work. This is because of how the traffic is routed to S3 and uses the Public IP addresses of S3.

  1. Use S3 Public IP addresses but route the traffic over Direct Connect by following these instructions to: Create an AWS Direct Connect public virtual interface
  2. Use (RFC1918) Private IP addresses to reach S3 by following these instructions to: Create an AWS Direct Connect private virtual interface

In your question you mention cross account access "not the owner of DX". This isn't a significant factor but keep in-mind that you need to ensure IP connectivity.

This first option is the lowest cost. It requires being able to receive Amazon public prefixes advertised via BGP over the public VIF to your devices. This means that S3 transfers need to be NATed, on-premise as they egress to your DX service. This also means that the S3 IP addresses are public. The traffic wouldn't traverse the internet but some companies have compliance requirements that don't allow this. It introduces some complexity that needs to be considered in relation to connecting to the AWS public network. When connecting your network to other networks it is best practice to use a firewall to inspect and block unwanted traffic just like you would with an internet connection. You can configure routing policies for prefixes that are advertised over both the public VIF and the internet and use BGP communities to control how far your prefixes are propagated into the AWS network. You can request a Public IPv4 block to use for the on-prem side of the GBP peering for the Public VIF. You can use a private BGP ASN for your side of the BGP session. You can also use a public ASN, if you already have one but you must be able to provide documentation proving ownership, There are other caveats to be aware of such as: autonomous system (AS) prepend does not work if you use a private ASN for a public virtual interface.

The second option provides the ability to connect to S3 using Private (RFC1918) IP addresses, which can satisfy some compliance requirements that option one does not. A benefit here, is that network sessions use IP addresses from your (private) subnets in AWS. With the second option you're paying for the Virtual Private Gateway (VGW) and VPC interface endpoint but do not need to NAT the traffic. When using this option you need to ensure DNS is setup in a hybrid mode such that resources on-premise resolve S3 via Route53 resolver endpoints. This is needed in order for on-prem systems to use the Private addresses of your VPC Interface Endpoint ENIs.

There is a third option but it's the highest cost. In this scenario, you also use a VPC interface endpoint but route traffic via a Transit VIF and Transit Gateway (TGW). This is the simplest because because the routing routing is the most consistent with the fewest entries but I wouldn't recommend it unless you have a very specific need that can't be satisfied by the other two options.

I hope this helps!

AWS
answered 10 months ago
EXPERT
reviewed 10 months ago
  • Mohamed-Roushdy-NL
    10 months ago

    Firtst, I'd like to thank you for sparing some of your time to write this answer for me.

    Secondly, I know the approach that I'd need to apply, which is option #2 in your proposed solutions, but I don't know how to do it and the documentation isn't helping that much, let me explain more please: 1- app on prim should reach-out to S3 buckets over our DX via private IPs. 2- Account A, the owner of DX has the DX gateway 3- Account B, where the buckets reside, has a virtual private gateway associated with the DX gateway in account A. 4- both A and B are under the same organization 5- a VPC has been linked to the VPGW. 6- Now, neither Gateway endpoint nor interface endpoint allows me to select a specific S3 bucket or even knowing waht IP is assigned to a bucked after creation. I've tried creating both types which is useless for me, where is the private IP of the bucket? in other words, how to reach a bucket from my private network on-prem? via a private IP or aother URL (which requires DNS)?

    I hope this has been informative and awaiting your kind response. Thanks,

  • JD
    10 months ago

    Pl refer https://repost.aws/knowledge-center/s3-bucket-access-direct-connect and https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html on how to access through solution-2

1

To enable your on-premises applications to access Amazon S3 without going over the public internet, you'll need to use AWS PrivateLink for Amazon S3 by creating interface endpoints.

Interface endpoints for S3 allow you to access S3 using private IP addresses from within your VPC, on-premises, or from a VPC in another AWS Region. These interface endpoints are represented by elastic network interfaces (ENIs) with private IP addresses in your VPC subnets.

Here's how to set this up:

  1. Create an S3 interface endpoint in your VPC:
  • Open the Amazon VPC console
  • Navigate to Endpoints
  • Choose Create Endpoint
  • Select AWS services as the Service category
  • Search for S3 and select the interface endpoint option (not the gateway endpoint)
  • Choose the VPC that connects to your Direct Connect
  1. For on-premises access to S3 through Direct Connect:
  • Your on-premises applications can use AWS PrivateLink with the help of an inbound Route 53 Resolver endpoint
  • This forwards DNS queries from your on-premises network to the Route 53 Resolver

If you have both in-VPC and on-premises applications needing S3 access, you can optimize costs by:

  • Using gateway endpoints (which are free) for your in-VPC traffic
  • Using interface endpoints for your on-premises traffic over Direct Connect

This approach allows your on-premises applications to access S3 privately through your Direct Connect connection without traversing the public internet, while maintaining the most cost-effective solution for your architecture.
Sources
AWS PrivateLink for Amazon S3 - Amazon Simple Storage Service

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content