1

I'm trying to access s3 using interface VPC Endpoint but i have a technical issue which i can’t solve.

I have A VPC with the following Subnet:

  1. Subnet A (Private without Internet)
  2. Subnet B (Private without Internet)
  3. Subnet C (Public with Internet Gateway)
  4. Subnet D (Private with NAT)

I have two instances:

  1. i-01 (Subnet A)
  2. i-02 (Subnet D)

I have an interface VPC Endpoint for Subnets A,B and Private DNS is Enabled.

the issue is when i dig the endpoint s3.us-east-1.amazonaws.com in both instances it returns the VPC Endpoints IPs.

Expected Behavior: Instance i-01 returns the VPC Endpoints IPs and instance i-02 return the public regional IP.

Am i understanding the interface concept wrong or the expected behavior is what should happen ?

and if i'm understanding it wrong how to seperate subnets from using the interface endpoint and the public IP

ziad hassan
  • 28
  • 4
  • Note: this is related to the use of [Amazon-provided DNS](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#AmazonDNS) and [Private DNS](https://aws.amazon.com/about-aws/whats-new/2014/11/05/amazon-route-53-now-supports-private-dns-with-amazon-vpc/) in VPC. – jarmod Apr 03 '23 at 02:19

1 Answers1

2

Am i understanding the interface concept wrong or the expected behavior is what should happen ?

Yes, you have the concept wrong. Interface endpoints have VPC-scope, not subnet-scope. This means that all instances in a given VPC will use the interface endpoints, regardless of which subnets they are in.

To solve this, disable Private DNS and manually in the instance specify the endpoint of the interface for the instance which should use it.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Does the same goes for Gateway Endpoints are they VPC-scope too? – ziad hassan Apr 02 '23 at 23:49
  • 1
    @ziadhassan No. Gateway endpoints have subnet-scope. So you can change interface endpoint to gateway endpoint if only S3 or Dynamodb are concerned. – Marcin Apr 02 '23 at 23:50
  • @Marcin that isn't accurate. Gateway endpoints have route table scope. If multiple subnets share a common VPC route table, then either all of the subnets associated with that route table -- or none of them -- will use a given gateway endpoint, depending on whether the endpoint has an entry in the relevant route table. – Michael - sqlbot Apr 04 '23 at 01:54