Reputation: 693
Accessing the AWS S3 from on-premise world through Direct Connect, VPC and VPC Endpoint using AWS SDK
Our setup:
- we have a server on-premise, from which we want to send data to S3 (using AWS Java SDK)
- our on-premise data center is connected to AWS using Direct Connect
- on the AWS side, there is a VPC which does have a VPC Endpoint to S3
Our assumption is that everything is routed properly (on-premise can see the VPC in AWS). Let's assume VPC CIDR range is 10.10.10.0/24.
When we call the "PutObject" (but can be any S3 method) in the SDK and give the name of our bucket, the resulting request from SDK is targeting a public S3 IP address (52.xxx). However, this won't be routed as: Direct Connect -> VPC -> VPC Endpoint -> S3, instead, our routers will route the traffic to the internet proxy (as a default 0.0.0.0/0 route) - because the VPC CIDR range is 10.10.10.0/24.
My question is (obviously): is there a right way how to route the traffic through the AWS Direct Connect and not through the internet?
I am hoping for something like:
- there is an option in the SDK command to include additional IP to which the request should be sent first
- there is some S3 on-premise service which we can spin-up
- there is a simple button in some of the involved services which can be pressed.
Disclaimer: I am not really a networking or AWS infra master, so excuse some of my vagueness.
Upvotes: 5
Views: 10082
Answers (2)
Reputation: 717
AWS now supports privatelink for s3 that lets directly send traffic over Direct Connect/VPN using a endpoint specific DNS Name. https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/
Upvotes: 1
Reputation: 5615
You cannot access a VPC Endpoint through Direct Connect private VIF without using proxies.
You can instead allocate a public VIF. When you enable route propagation in your VGW, AWS advertises all public routes to the customer's router, so all traffic towards AWS services in that region goes over Direct Connect.
A public virtual interface can access all AWS public services using public IP addresses. A public virtual interface allows you to connect to all AWS public IP spaces globally. Direct Connect customers in any Direct Connect location can create public virtual interfaces to receive Amazon’s global IP routes
Upvotes: 3
Related Questions
- How to use a VPC endpoint to access my S3 bucket list/buckets?
- Connect to AWS s3 from on-premise via site-to-site VPN
- how to use vpc endpoint with ses in serverless
- How can I access VPC Endpoint interface from on prem client app?
- AWS Direct Connect public interface
- Access S3 bucket from VPC
- AWS direct connect: Route from VPC Lambda to on-prem server
- VPN over DX to S3
- accessing s3 from lambda within VPC in aws-go-sdk
- Aws s3 access using vpc-endpoint