5

Our setup:

  • we have a server on-premise, from which we want to send data to S3 (using AWS Java SDK)
  • our on-premise data center is connected to AWS using Direct Connect
  • on the AWS side, there is a VPC which does have a VPC Endpoint to S3

enter image description here

Our assumption is that everything is routed properly (on-premise can see the VPC in AWS). Let's assume VPC CIDR range is 10.10.10.0/24.

When we call the "PutObject" (but can be any S3 method) in the SDK and give the name of our bucket, the resulting request from SDK is targeting a public S3 IP address (52.xxx). However, this won't be routed as: Direct Connect -> VPC -> VPC Endpoint -> S3, instead, our routers will route the traffic to the internet proxy (as a default 0.0.0.0/0 route) - because the VPC CIDR range is 10.10.10.0/24.

My question is (obviously): is there a right way how to route the traffic through the AWS Direct Connect and not through the internet?

I am hoping for something like:

  • there is an option in the SDK command to include additional IP to which the request should be sent first
  • there is some S3 on-premise service which we can spin-up
  • there is a simple button in some of the involved services which can be pressed.

Disclaimer: I am not really a networking or AWS infra master, so excuse some of my vagueness.

mLC
  • 663
  • 10
  • 22

2 Answers2

3

You cannot access a VPC Endpoint through Direct Connect private VIF without using proxies.

You can instead allocate a public VIF. When you enable route propagation in your VGW, AWS advertises all public routes to the customer's router, so all traffic towards AWS services in that region goes over Direct Connect.

A public virtual interface can access all AWS public services using public IP addresses. A public virtual interface allows you to connect to all AWS public IP spaces globally. Direct Connect customers in any Direct Connect location can create public virtual interfaces to receive Amazon’s global IP routes

Vikyol
  • 5,051
  • 23
  • 24
  • thanks for the answer. Understood. I have a two supervague questions = first, how difficult/impactful this is to setup. Second, is it OK from the security standpoint - are there any possible grayspots? – mLC Nov 07 '19 at 00:11
  • 1
    Similar to setting up a private VIF but you should just be aware of routing policies and BGP communities: https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/ – Vikyol Nov 07 '19 at 10:03
  • Correct answer, this is also described here: https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect/ – Dennis Kieselhorst May 06 '20 at 06:54
1

AWS now supports privatelink for s3 that lets directly send traffic over Direct Connect/VPN using a endpoint specific DNS Name. https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/

user3170122
  • 677
  • 3
  • 9
  • 18