CODEWITHSUNDEEP
amazon-web-servicesamazon-s3endpoint
lorena
lorena

Reputation: 404

If private S3 endpoints have a route to the Transit Gateway (TGW), can they communicate with other VPCs?

Interface endpoints stay within their own VPC, and typically gateway endpoints (e.g., S3) would as well. However, we have two accounts connected to the same Transit Gateway (TGW), which essentially serves as a hub. In this case, can an S3 gateway endpoint potentially transfer S3 data outside of its own VPC if there is a route to the TGW in the route table that the endpoint is associated with?

Upvotes: 0

Views: 1665

Answers (2)

Michael - sqlbot
Michael - sqlbot

Reputation: 179244

No, a gateway endpoint cannot be used outside of a VPC.

The route tables of a VPC are used only to make routing decisions for packets sourced by instances on the subnets associated with the route table. No other traffic, such as traffic from the gateway endpoint or packets entering the VPC from the transit gateway, uses the VPC route tables. VPC never does edge-to-edge routing.

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations

Upvotes: 1

Nagarjuna
Nagarjuna

Reputation: 11

Yes. it is possible. But check, if you want to route the traffic to and from other availability zone, you have to enable that availability zone to be used by the transit gateway to route traffic to resources in the VPC subnets after attaching the VPC /VPN/Direct connect GWs

Upvotes: 0

Related Questions