A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network. A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks.

There are three types of Endpoints

  • Interface endpoints
  • Gateway Load Balancer endpoints
  • Gateway endpoints

In this lab we going to use a Gateway endpoint to connect a single instance EC2 to S3 in a private Network

Architecture

For this lab, I create a VPC with the a 10.0.0.0/16 CIDR block in us-east-2 (Ohio), two sub-networks 10.0.0.0/24 and 10.0.1.0/24, created a IGW and attached to the 10.0.0.0/24 sub-network.

If you don't know how to create this VPC configuration, you can see my other post Creating Virtual Private Cloud (VPC) with public and private sub-networks in AWS

We going to create the other elements in the diagram in this lab

Requirements

Steps

  • Create a S3 bucket
  • Create a VPC Endpoint (Gateway Endpoint s3)
  • Attach the endpoint to the private 10.0.1.0/24 Network
  • Secure the Endpoint with a Policy to ensure only the bucket we create is been accessed
  • Create a IAM role with access to List S3
  • Test the configuration launching an instance in the private network and public network

Hands-On

  1. In the AWS Management Console, go to S3

2. Click on Create bucket

3. Give it a name and click on Create bucket (The name needs to be unique in all the global AWS namespace)

4. Click on the bucket name

5. Click on Upload

6. Click on the properties tab and copy the ARN, paste it somewhere to used later

7. Go back to Objects tab and click on Add files, and upload any file, this is going to be used later when we test the configuration, in my case I'm going to upload an image, and click on Upload

8. If everything is ok, you will see a success message

9. Go to VPC

10. Click on Endpoints

11. Click on Create Endpoint

12. Select AWS services as Service category, Search for S3 and select the Endpoint Gateway on Service name, Select the right VPC you create for this lab

13. Select the Private sub-network

14. Select Custom on the policy and paste this policy, change it to your bucket ARN and remove the parentesis

{
	"Version": "2008-10-17",
	"Statement":[
		{
			"Sid": "Access-to-specific-bucket",
			"Principal": "*",
			"Action": [
				"s3:GetObject",
				"s3:ListBucket",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"(ARN)",
				"(ARN)/*"
			]
		}
	]
}

For example my policy at the end is

{
	"Version": "2008-10-17",
	"Statement":[
		{
			"Sid": "Access-to-specific-bucket",
			"Principal": "*",
			"Action": [
				"s3:GetObject",
				"s3:ListBucket",
				"s3:PutObject"
			],
			"Effect": "Allow",
			"Resource": [
				"arn:aws:s3:::vpc-endpointtest",
				"arn:aws:s3:::vpc-endpointtest/*"
			]
		}
	]
}

15. Click on Create endpoint

16. If everything is ok you will see a success message, click on Close

Great! now you have access to S3 with the endpoint, so lets test it.

Test

  1. First let's make sure that the Endpoint have modify the private subnetwork, go to Subnets

2. Select the Private sub-network, and select the Route table tab, you will see the a new Destination and target, this is the endpoint

3. Go to IAM

4. Click on Roles

5. Click on Create role

6. Select EC2 and click Next: Permissions

7. Search for s3 and for this lab use the AmazonS3FullAccess and click Next

8. In the Tags, leave at defaults and click on Next

9. Give it a name, and click on Create role

10. Now lets try to connect to S3 from the private network, go to EC2

11. Go to Instances

12. Click on Lanch instances

13. Select Amazon Linux 2 AMI 64-bit

14. Select t2.micro and click on Next

15. First lets start the instance in the private network, select number of instances 1, Network, select the right VPC, and sub-network use the private sub-network, and in Auto-assign Public IP as disabled, select IAM role the Role with the S3 permissions and Click on Review and Launch

16. Review the configuration and click on Launch

17. In the next window, select Create a new key pair, give it a name, download and click on Launch Instances

18. If everything is ok, you will see the success message, click on View Instances

19. Now lets launch the instance in the public sub-network, click on Launch instances

20. Select Amazon Linux 2 AMI 64-bit

21. Select t2.micro and click on Next

22. Select 1 instance, Select the right VPC, the public subnetwork and make sure you have Auto-assign Public IP Enable and click on Review and Launch

23. Review the configuration and click on Launch

24. In the next window, select the key pair we create earlier, check the check box, and click in Launch Instances

25. If everything is ok, you will see the success message, click on View Instances

26. Select the private and public instance and copy the private and public address (the private instance will not have public address)

In my case the private instance have the internal IP of 10.0.1.253 and the public instance have the internal IP of 10.0.0.194 and the public IP of 3.135.214.6

27. Now lets open a terminal and go where the key pair was downloaded

cd ~/Downloads

28. Change the permissions on the Key pair

chmod 400 endpoint-test.pem

29. Copy the pem file to your public instance

scp -i endpoint-test.pem endpoint-test.pem ec2-user@3.135.214.6:/tmp
Use your own ip and pem file name

30. Connect to your public instance

ssh -i "endpoint-test.pem" ec2-user@3.135.214.6

31. Get root permissions and go to the pem file directory, and change the permissions of the file

sudo su -
cd /tmp
chmod 400 endpoint-test.pem

32. Connect to the private instance, using the private IP

ssh -i "endpoint-test.pem" ec2-user@10.0.1.60

33. now lets test the connectivity, we shouldn't have connection to internet

ping www.google.com
PING www.google.com (172.217.1.36) 56(84) bytes of data.
^C
--- www.google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3065ms

34. Try to list the object of the bucket

aws s3 ls s3://vpc-endpointtest/ --region us-east-2
2021-01-08 01:55:01      27130 efs.png

35. And if you try to list all the Buckets, you will get and error

aws s3 ls --region us-east-2

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Great you now know how to create an Endpoint, remember that this is not the best configuration for production, is only for demostrate the steps of how to make an endpoint.

Clean-Up

  1. Go to EC2

2. Click on Instances

3. Select the instances we create in this lab and click on Instance state, then select Termina instance

4. Confirm

5. Go to Key Pairs

6. Select the Key pair we create on this lab and click on Actions then Delete

7. Confirm

8. Click on Security Groups

9. Select the Security groups we create on this lab and click on Actions, then Delete security group

10. Confirm

11. Go to IAM

12. Click on Roles

13. Search for the Role we create for this lab and click on Delete role

14. Confirm

15. Go to VPC

\

16. Select Endpoints

17. Select the Endpoint we create in this lab and click on Actions, then Delete Endpoint

18. Confirm

19. Remove all the resources you create for the VPC, IGW, Sub-networks, etc