7.9 VPC End Points

A VPC endpoint allows you to securely connect your VPC to another AWS service. The functionality is similar to NAT Gateway, but NAT Gateway allows you connect with the whole outside Internet.

If the instance in the private subnet want to send message to a S3 bucket, it has to use a NAT Gateway. The issue is that when the NAT gateway sends the files, it will traverse the Internet. It will go to a public API end point.

Using VPC end point, the files will not be sent to NAT Gateway. The file will be sent to an internal gateway, and then sent to S3 directly.

Steps:

Go to IAM (identity access manage), and create a role for EC2. The use case is allowing EC2 instance to call AWS services on your behalf. Search AmazonS3FullAccess. Give it a Role name (S3Admin), and click Create.
You can attach a role to a running EC2 instance on the fly. Select the instance called "myMysql", click Actions -> Instance Setting -> Attach/Replace IAM Role. Select "S3Admin" IAM role and Apply.
Go to VPC, go to NACL. Select the default NACL of your customized VPC instead of "MyWebNACL". Go to Subnet Associations tab and associate the public subnet to this NACL as well. (Putting two subnet into one NACL is just for simple to demonstrate this lab).
SSH to your public instance, and them SSH to your private instance. Run "aws s3 ls" in the private instance, and it works. If you shutdown the NAT Gateway, or remove the route of NAT Gateway, it will not work. So go to VPC dashboard and go to route tables, select the default route table of your customized VPC. Go to routes tab, remove the rule whose target is the NAT Gateway.
Back to the CMD of the private instance, run "aws s3 ls" again, it will not work. So let's go to create a VPC end point.
Go to end point and click create endpoint. A VPC endpoint allows you to securely connect your VPC to another AWS service. There are two kinds of VPC endpoints. The interface endpoint is an elastic network interface (ENI) that serves as an entry point for traffic destined to the service. A gateway endpoint serves as a target for a route in your route table for traffic destined for the service. Gateway endpoint is much more like what we got with NAT Gateway. It is not on a single device or ENI, it is actually highly available and it is available to all the AWS services. So go and select the gateway endpoint of S3.
The VPC select your customized VPC, and select the route table of the private subnet. Policy should be Full Access. Bear in mind, when you use an endpoint, the source IP addresses from your instances in your affected subnets for accessing the AWS service in the same region will be private IP address, not public IP addresses. Create the Endpoint.
When you look at the route table, you can see the rule of VPC endpoint is there. Back to private instance, run "aws s3 ls", it works. This is not through a NAT Gateway, but a VPC gateway endpoint. So it is only going over the private network, not the public network.

Previous7.8 NATs vs. Bastions Next7.10 VPC Clean Up

Last updated 5 years ago

Was this helpful?

Steps:

Go to IAM (identity access manage), and create a role for EC2. The use case is allowing EC2 instance to call AWS services on your behalf. Search AmazonS3FullAccess. Give it a Role name (S3Admin), and click Create.

You can attach a role to a running EC2 instance on the fly. Select the instance called "myMysql", click Actions -> Instance Setting -> Attach/Replace IAM Role. Select "S3Admin" IAM role and Apply.

Go to VPC, go to NACL. Select the default NACL of your customized VPC instead of "MyWebNACL". Go to Subnet Associations tab and associate the public subnet to this NACL as well. (Putting two subnet into one NACL is just for simple to demonstrate this lab).

SSH to your public instance, and them SSH to your private instance. Run "aws s3 ls" in the private instance, and it works. If you shutdown the NAT Gateway, or remove the route of NAT Gateway, it will not work. So go to VPC dashboard and go to route tables, select the default route table of your customized VPC. Go to routes tab, remove the rule whose target is the NAT Gateway.

Back to the CMD of the private instance, run "aws s3 ls" again, it will not work. So let's go to create a VPC end point.

Go to end point and click create endpoint. A VPC endpoint allows you to securely connect your VPC to another AWS service. There are two kinds of VPC endpoints. The interface endpoint is an elastic network interface (ENI) that serves as an entry point for traffic destined to the service. A gateway endpoint serves as a target for a route in your route table for traffic destined for the service. Gateway endpoint is much more like what we got with NAT Gateway. It is not on a single device or ENI, it is actually highly available and it is available to all the AWS services. So go and select the gateway endpoint of S3.

The VPC select your customized VPC, and select the route table of the private subnet. Policy should be Full Access. Bear in mind, when you use an endpoint, the source IP addresses from your instances in your affected subnets for accessing the AWS service in the same region will be private IP address, not public IP addresses. Create the Endpoint.

When you look at the route table, you can see the rule of VPC endpoint is there. Back to private instance, run "aws s3 ls", it works. This is not through a NAT Gateway, but a VPC gateway endpoint. So it is only going over the private network, not the public network.