Create a VPC endpoint gateway
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have created egress only internet gateway to enable only outbound internet access to our IPv6 subnet.
In this blog post we are going to create a VPC endpoint gateway. For this demo we need one VPC with a public subnet and private subnet, two EC2 instances hosted in the public and private subnet, an IAM role with access to S3 service and bucket. Below is the configuration diagram for this demo.
We already have created the VPC, Subnets, IAM user with S3 access, S3 bucket with bucket policy for access to IAM user and two EC2 instances with AWS CLI pre-configured. The scope of this demo is only VPC endpoint gateway hence we are not discussing IAM user creation and S3 bucket creation or AWS CLI. S3 buckets are already covered in S3 series. We will cover IAM user and AWS CLI in a future blog post.
If we query S3 using AWS CLI from the public subnet, it will return the output as it is able to communicate to the S3 bucket over the internet. But the same is not true for the instance hosted in the private subnet. If you query S3 from the instance hosted in private subnet, it will not return any result as it is not able to communicate to S3. In order to communicate to S3 from a private subnet, AWS now provides VPC endpoint gateway. Using VPC endpoint gateway you can communicate with S3 service using the private IP address. Currently, VPC endpoint gateway only supports S3 and DynamoDB.
Next, we are going to create a VPC endpoint gateway and will try to reach the S3 from private subnet again.
Create a VPC endpoint gateway:
Step 1: Login to AWS console and navigate to ‘VPC’.
Step 2: Navigate to ‘Endpoints’ and click ‘Create Endpoint’.
Step 3: You can choose the service or directly provide the service name. If you are directly providing the service name, click ‘Verify’ one service name is provided.
Step 4: Select your VPC.
Step 5: Select the route table for your private subnet and click ‘Create endpoint’.
One success message will be displayed, click ‘Close’.
Our new VPC endpoint gateway successfully created.
Step 6: Navigate to the route table used for your private subnet and check if route entry has been created for your VPC endpoint gateway.
Note: You will not be able to add\edit route for your VPC endpoint gateway.
Our VPC endpoint gateway successfully configured. If you now try to query S3 using AWS CLI from the instance hosted in the private subnet, it will communicate through the VPC endpoint gateway and will return output.
Hope you have enjoyed this article. In the next blog post, we will cover VPC interface endpoint.
To get more details on VPC, please refer below AWS documentation