AWS S3 Private Link

AWS Private Link Overview

What’s AWS private link in general and what’s the benefit of using AWS private link?

  • Network traffic that uses AWS Private Link doesn’t traverse the public internet
  • Reduce exposure to attacks.
  • Regulatory compliance
  • Hybrid cloud

S3 Private Link

AWS Private Link for S3 is GA recently, I started to compare the feature with Azure storage, Azure storage private link is GA a year ago and Azure storage service endpoint support across region access.

DNS Integration

Endpoint-specific S3 DNS names can be resolved from the S3 public DNS domain.

Lab

C:\Users\rquan>nslookup bucket.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Server: homeportal
Address: 192.168.1.254
Non-authoritative answer:
Name: bucket.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Address: 10.0.3.231
C:\Users\rquan>nslookup accesspoint.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Server: homeportal
Address: 192.168.1.254
Non-authoritative answer:
Name: accesspoint.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Address: 10.0.3.231
C:\Users\rquan>nslookup control.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Server: homeportal
Address: 192.168.1.254
Non-authoritative answer:
Name: control.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com
Address: 10.0.3.231
C:\Users\rquan>aws s3 --region us-east-1 ls s3://privatelinkrq/
2021-05-15 13:21:10 846291 developer.PNG
C:\Users\rquan>aws s3 --region us-east-1 --endpoint-url https://bucket.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com ls s3://privatelinkrq/Could not connect to the endpoint URL: "https://bucket.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com/privatelinkrq?list-type=2&prefix=&delimiter=%2F&encoding-type=url"
[ec2-user@ip-172-31-11-119 ~]$ aws s3 --region us-east-1 --endpoint-url https://bucket.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com ls s3://privatelinkrq/
2021-05-15 17:21:10 846291 developer.PNG
[ec2-user@ip-172-31-11-119 ~]$ aws s3control --region us-east-1 --endpoint-url https://control.vpce-0e787478ce3b1998c-hvc8qoxf.s3.us-east-1.vpce.amazonaws.com list-jobs --account-id <xyz>
{
"Jobs": []
}
[ec2-user@ip-172-31-11-119 ~]$ aws s3 --region us-east-1 ls s3://privatelinkrq/
2021-05-15 17:21:10 846291 developer.PNG

Conclusion

It’s fairly straight forward to configure AWS S3 private link, one endpoint supports working with multiple S3 buckets, DNS configuration is also taken care of by default.

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and API security.