We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Introducing private DNS support for Amazon S3 with Amazon Web Services PrivateLink
Compliance requirements often mandate private connectivity when on-premises applications use cloud storage. To satisfy these requirements, customers set up private connections to
To help simplify your DNS configuration for private connectivity, Amazon S3
In this blog post, we demonstrate how to take advantage of private DNS to access Amazon S3 using Amazon Web Services PrivateLink. We also discuss configuration options for various scenarios, and how to verify that your clients are connecting to Amazon S3 over gateway VPC endpoints and interface VPC endpoints.
VPC endpoints for Amazon S3
There are two types of
Gateway VPC endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway VPC endpoints can be set up with a few clicks in the Amazon Web Services Management Console, and use your VPC route table to route requests from clients within your VPC to S3’s or DynamoDB’s public IPs, over the Amazon Web Services network. Gateway VPC endpoints have no additional charge and support connectivity only from resources local to the respective VPC where the gateway endpoint is created.
Interface VPC endpoints provide private connectivity for
The most cost-efficient way to access S3 is to use Gateway VPC endpoints where possible (e.g., from EC2 instances in the Region) and to use Interface VPC endpoints from other locations such as from on premises.
Accessing Amazon S3 interface endpoint with private DNS name
Figure 1 shows a hybrid network setup where you connect from on-premises over an
Figure 1: Setup when connecting from on premises over Direct Connect or Site-to-Site VPN
When you enable
- Regional Bucket (e.g., s3.<Region>.amazonaws.com)
- Control (e.g., s3-control.<Region>.amazonaws.com)
- Access Point (e.g., s3-accesspoint.<Region>.amazonaws.com)
This enables you to use Amazon Web Services’s private network connectivity to S3 while making requests to the service’s Regional, control, or access point endpoints. For more information, refer to the
Diagram walkthrough
- On-premises client initiates a DNS query targeted to a regional S3 bucket.
- The on-premises DNS server forwards this query to the respective Route 53 resolver inbound endpoint associated to the same VPC that has the S3 Interface VPC endpoint via the Site-to-Site VPN or DX connection.
- The Route 53 resolver endpoint forwards this query to the Route 53 hosted zone managed by Amazon Web Services which returns the IP addresses of the S3 Interface VPC endpoints in the DNS response.
- On-premises client then initiates the connection to the S3 interface VPC endpoint.
- S3 interface endpoints forwards the client query over Amazon Web Services PrivateLink towards the S3 bucket specified in client’s query.
New – Enable private DNS only for inbound endpoint
Many customers have applications on premises and in an Amazon Web Services Region, both running in the same VPC. These customers told us that they wanted an easy way to route traffic from on-premises through interface endpoints, and traffic from within Amazon Web Services over gateway endpoints. To solve this problem,
“To set PrivateDnsOnlyForInboundResolverEndpoint to true, the VPC <vpce_id> must have a gateway endpoint for the service.”
To resolve this, create a gateway endpoint in the VPC. Alternatively, you can disable Enable private DNS only for inbound endpoint and route all your traffic over the interface endpoint.
Figure 2: Error when gateway endpoint does not exist while PrivateDNSonlyForInboundEndpoint enabled
Prerequisites
Before you get started, make sure you have the following prerequisites met:
- Create a
VPC in the same Region as the S3 bucket that you wish to connect over theVPC endpoints . Make sure you have set theattributes enableDnsHostnames and enableDnsSupport to true. - Create either an
Amazon Web Services Direct Connect connection with a Private Virtual Interface (VIF) or anAmazon Web Services Site-to-Site VPN connection to establish connectivity from your corporate data center. - Create a
gateway VPC endpoint for S3 in the same VPC created in step 1 to use Enable private DNS only inbound endpoint .
Creating an interface VPC endpoint for Amazon S3 and enable private DNS options
- To create an interface VPC endpoint for Amazon S3, first navigate to the VPC console, select Endpoints , and choose Create endpoint .
- For Service category , select Amazon Web Services services . Then, filter the service names by entering S3 in the search box. For Service name , choose the service as “S3” and for Type , ensure that it shows Interface ( Figure 3a ).
Figure 3a: Create Interface endpoint for S3
- Select the VPC, desired Availability Zones, and subnet for each one, and then select the appropriate security groups. This should allow traffic from your networks on port 443.
- Under Additional settings , select Enable DNS name for your interface endpoint. By default, it will select Enable private DNS only for inbound endpoint to make traffic originating inside your VPC flow over the gateway VPC endpoint and traffic originating on premises flow over the interface VPC endpoint.
- Select Create endpoint . We show this in the following screenshot ( Figure 3b ):
Figure 3b: Select private DNS options while creating interface VPC endpoint in the VPC console
It takes a few moments to go through various
Figure 4a: Details of the interface VPC endpoint
Choose Subnets to see where the interface endpoint is located, and the ID of the endpoint network interface in each subnet. In the following screenshot ( Figure 4b ), the private IP address of the endpoint network interface in the VPC are 10.0.4.122 and 10.0.23.155.
Figure 4b: Subnets information for your interface VPC endpoint
Scenarios for private DNS options
Let’s understand the various combinations of DNS options that influence clients connectivity to Amazon S3 from applications hosted in VPC and on-premises using Gateway and Interface VPC endpoint for Amazon S3:
Scenario 1 : With out private DNS options
In this configuration, traffic from clients within the VPC where the gateway endpoint has been created can connect to S3 Regional endpoints. Clients outside the VPC (either on-premises or another interconnected VPC) can connect to S3 using the endpoint-specific DNS names or using the options highlighted here in the
This option is useful when you want to have the flexibility to manage private DNS names in your own private hosted zone.
Client in VPC using gateway endpoint:
Client in VPC or on premises using endpoint-specific DNS name:
The preceding output shows that clients inside the VPC resolve to a public IP address(es) of an S3 service endpoint, while the clients in the corporate data center resolve to interface VPC endpoint ENI IP addresses for Amazon S3.
Scenario 2 : With private DNS
In this configuration, both in-VPC and on-premises traffic flows over an interface VPC endpoint for S3. This option is beneficial when you want to simplify the architecture to just use one type of endpoint since it simplifies DNS management. However, this is not a cost-efficient solution since now the traffic from resources in VPC to S3 would also incur data transfer charges associated with interface VPC endpoint for S3. VPC As shown in Figure 5 , the green and blue color show that the traffic is flowing from the EC2 instances within the VPC and on-premises environment over the interface VPC endpoint for S3.
Figure 5: With private DNS enabled and Enable private DNS only for inbound endpoint disabled
Diagram walkthrough
All the Steps 1 through 5 remain the same as described in Figure 1 . However, now with only Private DNS enabled clients inside the VPC as well as the clients in on-premise connect to Amazon S3 via the interface VPC endpoint for S3.
Client inside the VPC:
Client inside on-premises application:
The preceding output shows that both the clients inside the VPC and on premises resolve to interface VPC endpoint ENI IP addresses for Amazon S3.
Scenario 3: With private DNS only for the inbound resolver endpoint
In this configuration, the traffic from applications within the VPC flows over gateway VPC endpoints, while on-premises traffic flows over the interface VPC endpoint for S3. This option provides a cost-effective network design to access S3 from within VPC and on-premises applications. While choosing this configuration, you need to maintain a gateway VPC endpoint in you VPC. This is to keep your traffic always on the Amazon Web Services private network. This eliminates the possibility where, without a gateway endpoint, you’re in-VPC traffic inadvertently goes over an Internet Gateway or is dropped if there is no Internet Gateway. Hence, if a gateway VPC endpoint does not exist in the VPC where you have applications running, it will prevent you from selecting the Enable private DNS only for inbound endpoint option . If you want to want to update an existing interface endpoint to Enable private DNS only for inbound endpoint , you must confirm that your VPC has a gateway VPC endpoint for S3. For more information about gateway VPC endpoints and managing private DNS names, see
Figure 6 shows the blue path for traffic from EC2 instances within the VPC flowing via gateway VPC endpoints, whereas the green path shows the traffic flow from on premises to S3 using interface VPC endpoint.
Figure 6: With private DNS enabled and Enable private DNS only for inbound endpoint enabled
Diagram walkthrough
All the Steps 1 through 5 remain the same as Figure 1 . However, now with both Private DNS and Enable private DNS only for inbound endpoint enabled, clients inside the VPC connect to the Amazon S3 via Gateway VPC endpoint for S3 while clients on-premise connect to Amazon S3 via the interface VPC endpoint for S3.
Clients in VPC using gateway endpoint:
Clients in on premises using interface endpoint:
You cannot delete a gateway VPC endpoint when both private DNS and Enable private DNS only for inbound endpoint are enabled. If you attempt to do that, it will throw the following error:
“Gateway endpoint cannot be deleted while Interface endpoint for the service has PrivateDnsOnlyForInboundResolverEndpoint set to true.”
In this case, if you want to delete the gateway VPC endpoint, you need to modify your interface VPC endpoint and deselect the option Enable private DNS only for inbound endpoint.
Conclusion
In this blog post, we discussed using private DNS for an Amazon S3 interface VPC endpoint to access Amazon S3 without modifying on-premises applications. We covered using the Enable private DNS only for inbound endpoint option to optimize the network path to S3. These options allow you to advantage of the lowest-cost private network path without having to make code or configuration changes to your clients. To get started with Amazon Web Services PrivateLink for Amazon S3, visit this
For more information on Amazon Web Services PrivateLink for Amazon S3, you can refer to the following blogs:
-
Secure hybrid access to Amazon S3 using Amazon Web Services PrivateLink -
Choosing Your VPC Endpoint Strategy for Amazon S3 -
Amazon Web Services Partners use Amazon Web Services PrivateLink to connect privately to Amazon S3
The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.