Reputation: 567
aws vpc endpoints - how it works?
I am trying to understand the concept of how VPC endpoints work and I am not sure that I understand the AWS documentation. For example, I have a private S3 bucket and I have an EKS cluster. So if my bucket is private I believe that traffic from the EKS cluster to S3 does not go through the internet, but only through the AWS network. But in a case my s3 bucket was public, then probably I will need to set up the VPC endpoint, so traffic will not leave the AWS. The same logic I would expect with ECR, if it is private you load images to your EKS through AWS network. So what is the exact case when you need to use VPC endpoint within your AWS account (not from on-prem or another VPC)?
Upvotes: 2
Views: 1747
Answers (1)
Reputation: 3360
VPC endpoints are typically used with public AWS services (such as S3, DynamoDB, ECR, etc.) when the client applications are hosted inside your VPC and you do not want to route traffic via public Internet, which would otherwise result in a number of hops to reach the AWS service.
Imagine a situation when you have an app running on an EC2 instance, which is deployed to a private subnet of your VPC (i.e. a Pod in your EKS cluster). This app reads/writes data from/to AWS S3. If you do not use a VPC endpoint, your traffic will first reach your NAT gateway, then your VPC's Internet gateway out to the public Internet. Eventually, it will hit AWS S3. The response will travel back via the same route.
Same thing with ECR (i.e. a new instance of your Kubernetes Pod started by the kubelet). It's better (i.e. quicker) to pick the shortest route to download a Docker image from ECR rather than traverse a number of switches/routers. With a VPC endpoint your traffic will first hit the VPC endpoint (without leaving your private subnet) and then reach e.g. ECR directly (traffic does not leave the Amazon network).
As correctly mentioned by @jarmod, one should differentiate between routing (Layer 3 in the OSI model) and authentication/authorization (Layer 7). For example, you can use a VPC endpoint to reach AWS S3, but not be authorized (or even unauthenticated) to e.g. read a file from an S3 bucket.
Hope this clarifies the idea behind using VPC endpoints.
Upvotes: 3
Related Questions
- What is VPC, Subnet in AWS
- How to use a VPC endpoint to access my S3 bucket list/buckets?
- How exactly is a VPC used
- How lambda connects to s3 inside vpc
- AWS VPC Endpoints: What's the different between the private DNS records
- What is the difference between S3 bucket policies and S3 VPC endpoints?
- How does the AWS Inteface VPC endpoint actually route traffic to regional service?
- How VPC sharing works
- Aws s3 access using vpc-endpoint
- AWS S3 VPC endpoint docs example