How do I check if my Amazon S3 traffic is going through a gateway Amazon VPC endpoint or an interface Amazon VPC endpoint?

4 分钟阅读
2

I want to check if my Amazon Simple Storage Service (Amazon S3) traffic is going through a gateway Amazon Virtual Private Cloud (Amazon VPC) endpoint or an interface Amazon VPC endpoint.

Resolution

To check if your Amazon S3 traffic is going through a gateway endpoint or an interface endpoint, take the following actions.

Check traffic flow over a gateway Amazon VPC endpoint

Take the following actions:

  • Use a TCP-based traceroute
  • Configure Amazon S3 server access logging

Use a TCP-based traceroute

Note: In the following commands, replace example-region-code with your AWS Region.

To use a TCP-based traceroute, run the following commands.

For HTTP:

sudo traceroute -T -p 80 <s3.example-region-code.amazonaws.com>

For HTTPS:

sudo traceroute -T -p 443 <s3.example-region-code.amazonaws.com>

Example output without gateway endpoint:

traceroute -T -p 443 s3.us-west-2.amazonaws.com   
traceroute to s3.us-west-2.amazonaws.com (52.218.205.128), 30 hops max, 60 byte packets  
1 * * ec2-52-15-0-55.us-east-2.compute.amazonaws.com (52.15.0.55) 0.720 ms  
2 100.65.27.64 (100.65.27.64) 3.904 ms * 100.65.26.160 (100.65.26.160) 2.538 ms  
3 100.66.12.238 (100.66.12.238) 5.841 ms 100.66.12.244 (100.66.12.244) 1.624 ms 100.66.13.84 (100.66.13.84) 1.618 ms  
4 100.66.14.132 (100.66.14.132) 12.056 ms 100.66.15.198 (100.66.15.198) 22.155 ms 100.66.15.72 (100.66.15.72) 36.160 ms  
5 241.0.12.73 (241.0.12.73) 0.333 ms 241.0.12.70 (241.0.12.70) 0.318 ms 241.0.12.77 (241.0.12.77) 0.298 ms  
6 108.166.252.46 (108.166.252.46) 1.244 ms 108.166.248.33 (108.166.248.33) 0.909 ms 108.166.252.46 (108.166.252.46) 1.153 ms  
7 52.95.2.153 (52.95.2.153) 1.616 ms 52.95.2.151 (52.95.2.151) 1.175 ms 52.93.239.48 (52.93.239.48) 0.899 ms  
8 100.92.37.93 (100.92.37.93) 53.817 ms 100.92.31.89 (100.92.31.89) 50.767 ms 100.92.37.43 (100.92.37.43) 54.258 ms  
9 100.100.2.87 (100.100.2.87) 49.736 ms 100.100.2.57 (100.100.2.57) 48.820 ms 100.100.2.73 (100.100.2.73) 51.058 ms  
10 100.100.88.66 (100.100.88.66) 49.888 ms 100.100.88.194 (100.100.88.194) 48.951 ms 100.100.85.66 (100.100.85.66) 49.416 ms  
11 100.100.77.71 (100.100.77.71) 48.986 ms 100.100.68.7 (100.100.68.7) 50.073 ms 100.100.82.7 (100.100.82.7) 95.565 ms  
12 100.100.6.110 (100.100.6.110) 55.784 ms 100.100.6.88 (100.100.6.88) 51.155 ms 100.100.6.52 (100.100.6.52) 62.262 ms  
13 100.95.1.132 (100.95.1.132) 48.900 ms 100.95.1.140 (100.95.1.140) 50.982 ms 100.95.1.130 (100.95.1.130) 50.822 ms  
14 242.0.30.128 (242.0.30.128) 50.907 ms 108.166.232.46 (108.166.232.46) 50.847 ms 100.95.17.134 (100.95.17.134) 50.577 ms  
15 108.166.232.54 (108.166.232.54) 50.321 ms 108.166.232.50 (108.166.232.50) 49.407 ms 108.166.232.59 (108.166.232.59) 50.893 ms  
16 108.166.232.63 (108.166.232.63) 48.257 ms 108.166.232.49 (108.166.232.49) 50.261 ms 50.365 ms  
17 241.0.1.142 (241.0.1.142) 49.940 ms 49.451 ms 241.0.1.140 (241.0.1.140) 51.448 ms  
18 100.66.3.145 (100.66.3.145) 65.740 ms * 100.66.3.137 (100.66.3.137) 68.843 ms  
19 100.66.1.143 (100.66.1.143) 67.227 ms 100.66.1.131 (100.66.1.131) 67.074 ms 100.66.1.253 (100.66.1.253) 73.648 ms  
20 100.65.7.33 (100.65.7.33) 67.465 ms 68.900 ms 100.65.7.161 (100.65.7.161) 67.558 ms  
21 s3-us-west-2.amazonaws.com (52.218.205.128) 49.616 ms 51.496 ms 50.240 ms

Note: Traffic flow over the internet has similar traceroute results as traffic flow without a gateway endpoint.

Example output with gateway endpoint:

traceroute to -T -p 443 s3.us-east-2.amazonaws.com, 30 hops max, 60 byte packets  
1 * * *  
2 * * *  
3 * * *  
4 * * *  
5 * * *  
6 * * *  
7 s3.us-east-2.amazonaws.com 0.432 ms 0.449 ms *

Note: For traceroute outputs that have a gateway endpoint, only the last hop is visible. Also, traceroute results are similar for ports 80 and 443.

Configure Amazon S3 server access logging

To identify the source of the request, turn on Amazon S3 server access logging.

Check traffic flow over an interface Amazon VPC endpoint

Take the following actions:

  • To confirm the traffic flow through the Amazon S3 endpoint, check the IP address of the source resource that connects to Amazon S3. When you set up an interface Amazon VPC endpoint, an elastic network interface that has a private IP address is deployed in the subnet. This deployment allows resources within the Amazon VPC to communicate with an Amazon S3 bucket.
    Note: For the traceroute to work, you must turn on internet control message protocol (ICMP) traffic. After you test, you can block the ICMP traffic on the network access control list (network ACL).
  • Use Amazon CloudWatch to monitor your Amazon VPC endpoint use. Metrics, such as ActiveConnections and BytesProcessed, provide information on endpoint usage. For more information, see Endpoint metrics and dimensions.
  • Check if Private DNS is turned on for the Amazon S3 endpoint. If PrivateDNS is turned on, then Amazon S3 endpoints manage traffic to the Amazon S3 Regional endpoint.

Related information

How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?

How do I troubleshoot connectivity issues with my gateway Amazon VPC endpoints?

Access an AWS service using an interface VPC endpoint

AWS 官方
AWS 官方已更新 2 个月前
4评论

One of my customer is following this article and trying TCP based traceroute and seeing the below output:

traceroute to -T -p 443 s3.us-east-2.amazonaws.com, 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 s3.us-east-2.amazonaws.com 0.432 ms 0.449 ms *

It means the traffic is going through the gateway endpoint. However, they do not have any gateway emndpoint in their account or shared with account. Any insights on this behaviour.

AWS
已回复 4 个月前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
审核人员
已回复 3 个月前

Hi We have a S3 endpoint as an Interface setup in our account. This automatically creates the needful subnets with right security groups to the interfaces. We can resolve the endpoint from within our networks as we have the DX setup to allow private traffic from office network to our VPC's. We have then added 1 x bucket with a policy to allow specific vpc endpoint with aws:sourceVpce.

The issue is when we try to run the traceroute to this bucket , example : sudo traceroute -n -T -p 443 bucket_name.region.amazonaws.com : this does not go through our DX tunnels but via Internet.

When we try accessing the S3 Interface eni's , the routes reach via the tunnels. What are we doing wrong or missing here

已回复 2 个月前

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
审核人员
已回复 2 个月前