Private Connectivity to S3 for Training Data Sets

Question

Pulumi · Accepted Answer

To establish private connectivity to an Amazon S3 bucket for training data sets, we can use AWS VPC endpoints. VPC endpoints enable you to privately connect your VPC to supported AWS services without needing an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks.

There are two types of VPC endpoints: interface endpoints (powered by AWS PrivateLink) and gateway endpoints. For S3, we use a gateway endpoint.

Below, I'll show you a Pulumi Python program that sets up a private S3 bucket and a VPC with a gateway endpoint to allow private access to the S3 bucket.

```python
import pulumi
import pulumi_aws as aws

# Create a new VPC
vpc = aws.ec2.Vpc("trainingVpc",
    cidr_block="10.0.0.0/16",
    enable_dns_hostnames=True,
    enable_dns_support=True)

# Create an internet gateway for the VPC
igw = aws.ec2.InternetGateway("trainingIgw",
    vpc_id=vpc.id)

# Create a route table for the VPC
route_table = aws.ec2.RouteTable("trainingRouteTable",
    vpc_id=vpc.id)

# Create a gateway endpoint for S3
s3_endpoint = aws.ec2.VpcEndpoint("trainingS3Endpoint",
    vpc_id=vpc.id,
    service_name="com.amazonaws.us-west-2.s3",
    route_table_ids=[route_table.id],  # Associate it with our route table
    policy=pulumi.Output.all(vpc.id, igw.id).apply(
        lambda args: json.dumps({
            "Version": "2012-10-17",
            "Statement": [{
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    f"arn:aws:s3:::{bucket_name}/*"
                ]
            }]
        })
    ))

# Create a subnet for the VPC
subnet = aws.ec2.Subnet("trainingSubnet",
    vpc_id=vpc.id,
    cidr_block="10.0.1.0/24",
    map_public_ip_on_launch=True)

# Associate route table to the subnet
route_table_association = aws.ec2.RouteTableAssociation("trainingRouteTableAssociation",
    subnet_id=subnet.id,
    route_table_id=route_table.id)

# Create an S3 bucket for training data sets
bucket = aws.s3.Bucket("trainingDataSets",
    acl="private")

# Output the S3 bucket name
pulumi.export('bucket_name', bucket.id)

# Output the VPC ID
pulumi.export('vpc_id', vpc.id)

# Output the VPC endpoint ID
pulumi.export('vpc_endpoint_id', s3_endpoint.id)
```

This program will achieve the following:

1. **VPC Creation**: A new VPC is created with a specified CIDR block that will contain our resources.

2. **Internet Gateway Setup**: An Internet Gateway is attached to our VPC to allow communication between resources within our VPC and the internet.

3. **Route Table and Subnet**: A Route Table is created for directing traffic within the VPC, along with a subnet that defines a range of IP addresses in our VPC.

4. **S3 VPC Endpoint**: This is a crucial part as it creates a gateway VPC endpoint for S3, allowing access to S3 buckets within the VPC without traversing the internet. We are also setting a policy to permit actions like `GetObject` on the S3 bucket we will create.

5. **S3 Bucket**: An S3 bucket is created with the ACL set to `private` to store training data sets. This bucket is only accessible from within the VPC or through signed URLs.

After running this Pulumi program, you'll have a private S3 bucket and a VPC setup that can access this S3 bucket without the traffic leaving the AWS network, which is both secure and often has lower latency.

Please modify the `region`, `cidr_block`, and S3 bucket policies as per your requirements. The `bucket_name` within the policy should also match the name of your S3 bucket. After deployment, in your Pulumi stack outputs, you will find the names and IDs of the created resources that you can use to reference in other parts of your AWS environment or Pulumi programs.