2

I have an Ec2 instance in a public subnet and would be uploading data to an s3 bucket. I understand that while this traffic traverses the internet gateway, it does not leave the AWS network Reference: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html

Now I am creating a s3 gateway end point (modify the route table to send traffic thru this). I also try creating a s3 interface end point. I measure that the time it takes to upload a 250MB file is the same in both cases (gateway endpoint and interface endpoint)

I am unable to understand two points:

  1. If traffic does NOT leave the AWS network even though Internet gateway is used, in this case, is there any security benefit ?

  2. When using privatelink, I understand that the traffic goes thru Hyperplane, which is why I get increased upload speed. https://www.youtube.com/watch?v=8gc2DgBqo9U&t=2010s And AWS is charging for the interface point.

    However I don't understand why s3 gateway endpoints are free. Does it not use hyperplane ? Is it less performant or resilient ?

VenVig
  • 645
  • 1
  • 10
  • 14

2 Answers2

2

You have three options for uploading data from EC2 to S3 by using

  1. Internet gateway: in this case, traffic DOES leave your VPC and goes over AWS network. It's less secure and slower.
  2. Interface endpoint: traffic DOES NOT leave your VPC and goes directly to service. It's secure and fast, but it isn't free.
  3. Gateway endpoint: traffic DOES NOT leave your VPC and goes directly to service. It's secure, fast and free, though you are limited to DynamoDB and S3 services.

Both interface endpoint and gateway endpoint use AWS PrivateLink (Hyperplane) technology.

I think the difference in pricing is related to difference in the nature of services deployment:

  • Interface endpoint is basically a separate ENI in subnet whereas
  • Gateway endpoint is an attachment on VPC level which is used for accepting S3/DynamoDB traffic.

Interface endpoints as ENIs got an IP address allocated and they are under your (customer) control. Hence, you are consuming AWS network resources.

At the same time, underlying network resources for Gateway endpoints are not exposed to you (customer), hence, you as a customer, do not reserve any AWS resources and there is nothing to be charged for.

ChildishGirl
  • 119
  • 7
  • They're all secure. Data in each of these scenarios is encrypted end-to-end. – jarmod Jan 04 '23 at 21:04
  • Thank you so much for your response and time. However for #1, Traffic does NOT leave the AWS network. Please refer to the AWS documentation here https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html – VenVig Jan 04 '23 at 21:10
  • @VenVig I checked the link you provided and cannot see any information there that proves your statement. Could you please elaborate more? – ChildishGirl Jan 04 '23 at 21:25
  • @jarmod when traffic traverses over the public internet, it's by default considered to be insecure despite being encrypted. – ChildishGirl Jan 04 '23 at 21:27
  • A scenario where traffic is routed over the public internet (which is not the case here btw) might be a non-compliant solution given some specific compliance requirement disallowing public infrastructure, but it's secure, in at least the most common definition of secure. – jarmod Jan 04 '23 at 21:33
  • So what it the answer to OP's question - why gateways are free, and interface endpoints are not free? – Marcin Jan 04 '23 at 23:15
  • @ChildishGirl Please see this statement from the link I provided. – VenVig Jan 05 '23 at 01:46
  • 1
    Access through public service endpoints The following diagram shows how instances access AWS services through the public service endpoints. Traffic to an AWS service from an instance in a public subnet is routed to the internet gateway for the VPC and then to the AWS service. Traffic to an AWS service from an instance in a private subnet is routed to a NAT gateway, then to the internet gateway for the VPC, and then to the AWS service. While this traffic traverses the internet gateway, it does not leave the AWS network. – VenVig Jan 05 '23 at 01:46
  • The last sentence – VenVig Jan 05 '23 at 01:47
  • 1
    @VenVig thanks for the reference, I added more details to the answer. To be on the same page, I consider traffic to be private in case it doesn't leave your VPC. While running `traceroute` command, I noticed several hops to IPs outside of my VPC. When I used gateway endpoint there was direct connection to S3 IP. – ChildishGirl Jan 05 '23 at 14:13
  • @Marcin the answer starts from 'I think the difference in pricing is related to' phrase. – ChildishGirl Jan 05 '23 at 14:14
  • Thanks @ChildishGirl for your detailed Analysis. I am still trying to get a better answer on the reason for the gateway end point being free. Will update once I have an answer. – VenVig Jan 19 '23 at 14:19
1

In none of your designs, traffic from your EC2 leaves the AWS network; not even when it goes via an internet gateway, as depicted in the following diagram at Access AWS services through AWS PrivateLink:

enter image description here

There is a good discussion on this topic also at Does traffic between Amazon EC2 and Amazon S3 really go over the internet?.

When an EC2 instance in a public subnet needs to connect to S3, it does not require AWS PrivateLink (Gateway endpoint or Interface endpoint); you use an Internet gateway for this connection.

When an EC2 instance in a private subnet needs to connect to S3, there can be two ways:

  1. Via a NAT Gateway situated in a public subnet (as depicted in the above diagram).
  2. By using AWS PrivateLink (Gateway endpoint or Interface endpoint).

Here is an excerpt from a very good article, How can I grant my Amazon EC2 instance access to an Amazon S3 bucket?:

For your EC2 instance to connect to S3 endpoints, the instance must be one of the following:

  • EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway
  • Private EC2 instance with a default route through a NAT gateway
  • Private EC2 instance with connectivity to Amazon S3 using a gateway VPC endpoint

Gateway endpoint and Interface endpoint

As already mentioned above, both of them belong to AWS PrivateLink. However, the Interface endpoint is newer and more powerful, as described in the following table at AWS PrivateLink for Amazon S3:

Gateway endpoints for Amazon S3 | Interface endpoints for Amazon S3

This power comes with billable resources and therefore the use of an Interface endpoint for S3 is billed.

You may also like to check Choosing Your VPC Endpoint Strategy for Amazon S3.

Arvind Kumar Avinash
  • 71,965
  • 6
  • 74
  • 110