What is AWS Private Link?
AWS Private Link provides private connection between VPCs, AWS services, and your on-premises networks, without exposing your traffic to public internet.
Network traffic that use AWS Private Link doesn't travel the public interent
Reduce exposure to attacks
Regulatory compliance
Hybrid cloud
Cost saving
On this blog I am setting up two VPCs in two AWS regions ( Ohio, US and Tokyo, Japan) with two different CIDRs range and use VPC endpoint for Amazon S3 to access the data.
VPC endpoints for Amazon S3 simplify access to S3 from within a VPC by providing configurable and highly reliable secure connections to S3 that does not require and Internet Gateway(IGW) or/& Network Address Translation (NAT) device. When you create a S3 VPC endpoint, you can attach an endpoint policy to it that controls access to Amazon S3.
Step 1: Create a VPC in the Ohio Region:
- In the AWS console go to VPC, select Ohio region and create VPC named as Ohio-VPC with CiDR of 10.10.0.0/16
Create 4 subnets in the Ohio-VPC. 2 public subnets and 2 private subnets.
No Internet Gateway (IGW) nor NAT Gateway in this Ohio-VPC.
Step 2: Create a VPC in Tokyo Region:
Go to Tokyo region and create the VPC named Tokyo-VPC with CIDR of 10.20.0.0/16.
Create 4 subnets in the Tokyo-VPC. 2 public subnets and 2 private subnets.
No Internet Gateway (IGW) nor NAT Gateway in this Tokyo-VPC.
Step 3: Create S3 bucket in the Ohio, Region:
In the AWS Console, go to the S3 service and create a bucket in the Ohio region. 
Step 4: Create Interface endpoint in the Ohio region:
In the VPC console, in the left panel, click on Endpoint under Virtual Private Cloud and it will appear Endpoints console.
In the Endpoints console, click on Create Endpoint and new screen will pop asking to give it a name and select AWS Service for wihi we want to create endpoint. As we are creating for S3, we will filter with S3 service and you will get available endpoints for S3 which includes gateway and interface endpoints. S3 outposts and access point interface are available and we will choose S3 interface endpoint.
Choose right VPC with private subnets you created earlier. Create new security group with no inbound with default outbound.
S3 interface endpoint is created and its available. Grab the DNS name and we would replace * with below appropriate valuses:
Example of S3 bucket: bucket.vpce-xxxxxxxxxx1a295b3-zshjrg35.s3.us-east-2.vpce.amazonaws.com
Step 5: VPC Peering between Ohio-VPC and Tokyo-VPC
Create VPC peering between Ohio and Tokyo VPCs, accept the peering connection at acceptor VPC and add the routes of other VPC CIDR in the route tables.
Then accept the Peering Connection at Tokyo VPC
Add a route in the route table with destination as the VPC CIDR of peered VPC and target as peering connection.
Step 6: Create EC2 instance in the Ohio Region:
Create an EC2 instance in the private subnet in the Ohio region and attach necessary roles (SSM and S3)
Connect private EC2 instance at Ohio region using SSM and list S3 buck
Use S3 interface endpoint which we created earlier and run below command
(Sample: aws s3 --region us-east-2 --endpoint-url https://bucket.vpce-xxxxxxxxxxxxxxxxx-zshjrg35.s3.us-east-2.vpce.amazonaws.com ls s3://{Your Bucket at Ohio}/
Step 7: Create EC2 instance in the Tokyo Region:
Create an EC2 instance in the private subnet in the Tokyo region and attach necessary roles (SSM and S3)
Connect private EC2 instance at Tokyo region using SSM and list S3 buck at Ohio region
Use S3 interface endpoint which we created earlier and run below command
(Sample: aws s3 --region us-east-2 --endpoint-url https://bucket.vpce-xxxxxxxxxxxxxxxxx-zshjrg35.s3.us-east-2.vpce.amazonaws.com ls s3://{Your Bucket at Ohio}/
Conclusion:
S3 Interface endpoint helps us to access S3 buckets privately and we can access cross region S3 buckets privately if VPC peering is enabled between the VPCs.
Top comments (0)