3

I am planning to use AWS File Gateway in a hybrid environment where I will mount the File Gateway to an EC2 instance from within a private subnet. As per AWS documentation, all data transfer is done through HTTPS when using File Gateway.

But since my File Gateway, EC2 instance and S3 are all inside the AWS environment, will my File Gateway still transfer files over the internet to S3 service endpoint (s3.amazonaws.com) or will it leverage VPC endpoint for S3?

Note: I cannot use EFS for this purpose as it's not HIPAA complaint.

dilzfiesta
  • 55
  • 5

2 Answers2

1

A VPC Endpoint for S3 uses a predefined IP prefix list in your subnet route tables, which hijacks all of the traffic bound for all of the IP addresses assigned to S3 in your region... so from a subnet associated with an S3 VPC endpoint, all traffic bound for any S3 address in the region is routed through the endpoint.

To state it another way, when correctly configured, an S3 VPC endpoint becomes the only way S3 can be accessed from the associated subnets, and because it's done at the IP routing layer, anything accessing S3 from those subnets will automatically and transparently use the endpoint.

The prefix list ID logically represents the range of public IP addresses used by the service. All instances in subnets associated with the specified route tables automatically use the endpoint to access the service; subnets that are not associated with the specified route tables do not use the endpoint.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • Thank you! Logically it should but it's nowhere mentioned that **File Gateway will internally use S3 VPC endpoint if hosted inside a subnet associated with it** which puts me in a very dicey situation. – dilzfiesta Jul 26 '17 at 06:45
  • It should be impossible for it not to, as there is no other interface to S3. As a protective measure, you use policy statements to deny access to the bucket if access is attempted *without* using the gateway. http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html – Michael - sqlbot Jul 26 '17 at 17:34
  • It worked! I restricted the bucket policy to the VPC endpoint created for S3 and was able push files through File Gateway to S3. So this concludes that **File Gateway indeed uses VPC endpoint for S3 internally** – dilzfiesta Jul 27 '17 at 16:06
0

In theory, if you configure your VPC Route Table to use the VPC Endpoint, then any traffic destined for S3 will be sent via the VPC Endpoint. (By the way, it might only work when connecting to S3 in the same region.)

Regardless, even if the traffic is routed through your Internet Gateway to the Amazon S3 endpoint, the traffic will not traverse the real "Internet" -- it will simply pass through the AWS edge of the Internet, never leaving the AWS data center (as long as it is in the same Region).

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470