Since the introduction of Amazon Simple Storage Service (S3), this service offered by Amazon Web Services (AWS) has delivered secure, durable and highly scalable object storage.

For those who may need a quick refresher as to why this is important, S3 enables the creation of a virtual private cloud (VPC), with security group and access control lists (ACLs) used to control inbound and outbound traffic. Before this feature came into being, and in order to allow the Elastic Compute Cloud (EC2) web service to access public resources, the use of an Internet Gateway or network address translation (NAT) instance was required.

VPC Endpoints for S3

Back in 2015, AWS simplified access to S3 resources from within the VPC with a concept called VPC Endpoint. These Endpoints are easy to configure, highly reliable and provide a secure connection to S3 that does not require a gateway or NAT instance. In fact, S3 was a pioneer at the time, becoming the first service to offer a VPC endpoint.

VPC Endpoints allowed the EC2 instance running in a private subnet to have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. The S3 bucket policy can be used to indicate which VPCs and VPC Endpoints have access to S3 buckets. This was done by setting up proxy servers with private IP addresses in the VPCs and using gateway endpoints for S3.

While this solution typically worked, proxy servers can constrain performance, as well as adding increased operational complexity and additional points of failure. This was reportedly a source of frustration for Amazon and the company solicited feedback from its customers to address identified pain point, a move that was encapsulated in its AWS PrivateLink offering.

AWS PrivateLink to the rescue

To address certain challenges, Amazon has introduced AWS PrivateLink for S3, allowing interface VPC endpoints to be provisioned in the VPC, instead of connecting over the internet.

According to a recent blog post, this new feature (originally announced at AWS re:invent 2020) is generally available now. As a result, S3 can be accessed directly as a private endpoint within a secure, virtual network.

This extends the functionality of existing gateway endpoints, providing private connectivity between S3 and on-premises resources. API requests and HTTPS requests to S3 from on-premise application are automatically directed through Interface Endpoints, connecting to S3 securely and privately through PrivateLink.

The graphic below shows the workflow process associated with this feature:

Image courtesy of AWS

The use of interface endpoints simplifies network architecture when connecting to S3 from on-premises applications, because this eliminates the need to configure firewall rules or an internet gateway. In addition to reducing complexity, this provides additional visibility into network traffic with the ability to capture and monitor flow logs in VPC. Additionally, this allows security groups and access control policies to be set up on interface endpoints.

Ultimately, the benefits of using AWS PrivateLink – secure traffic, simplified network management, the ability to accelerate your cloud migration – will be enhanced by the S3 expansion to all AWS regions. Infostretch has built up a powerful partner ecosystem, and our Advanced Consulting partnership with AWS is certainly one that can help move initiatives forward, both in terms of the time-to-market and an increase in digital maturity.