How do I route traffic to S3 through a private VPC endpoint?
In this guide, we will create an AWS VPC, set up a private VPC endpoint for S3, and configure routing to ensure that all traffic to the S3 bucket goes through this endpoint. This setup enhances security by keeping the traffic within the AWS network.
Key Points
- Create a VPC with public and private subnets.
- Set up a VPC endpoint for S3 in the private subnet.
- Configure route tables to direct S3 traffic through the VPC endpoint.
Below is the Pulumi program in TypeScript to achieve this:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create a VPC
const vpc = new aws.ec2.Vpc("myVpc", {
cidrBlock: "10.0.0.0/16",
enableDnsHostnames: true,
enableDnsSupport: true,
});
// Create an Internet Gateway
const igw = new aws.ec2.InternetGateway("myIgw", {
vpcId: vpc.id,
});
// Create public subnets
const publicSubnet = new aws.ec2.Subnet("publicSubnet", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-west-2a",
mapPublicIpOnLaunch: true,
});
// Create private subnets
const privateSubnet = new aws.ec2.Subnet("privateSubnet", {
vpcId: vpc.id,
cidrBlock: "10.0.2.0/24",
availabilityZone: "us-west-2a",
});
// Create a route table for the public subnet
const publicRouteTable = new aws.ec2.RouteTable("publicRouteTable", {
vpcId: vpc.id,
routes: [
{
cidrBlock: "0.0.0.0/0",
gatewayId: igw.id,
},
],
});
// Associate the route table with the public subnet
new aws.ec2.RouteTableAssociation("publicRouteTableAssociation", {
subnetId: publicSubnet.id,
routeTableId: publicRouteTable.id,
});
// Create a VPC endpoint for S3
const s3VpcEndpoint = new aws.ec2.VpcEndpoint("s3VpcEndpoint", {
vpcId: vpc.id,
serviceName: `com.amazonaws.${aws.config.region}.s3`,
routeTableIds: [publicRouteTable.id],
});
// Create a route table for the private subnet
const privateRouteTable = new aws.ec2.RouteTable("privateRouteTable", {
vpcId: vpc.id,
routes: [
{
cidrBlock: "10.0.0.0/16",
gatewayId: s3VpcEndpoint.id,
},
],
});
// Associate the route table with the private subnet
new aws.ec2.RouteTableAssociation("privateRouteTableAssociation", {
subnetId: privateSubnet.id,
routeTableId: privateRouteTable.id,
});
// Export the VPC ID and Subnet IDs
export const vpcId = vpc.id;
export const publicSubnetId = publicSubnet.id;
export const privateSubnetId = privateSubnet.id;
export const s3VpcEndpointId = s3VpcEndpoint.id;
Summary
In this guide, we created a VPC with both public and private subnets, set up a VPC endpoint for S3, and configured the route tables to direct S3 traffic through the VPC endpoint. This ensures that all traffic to the S3 bucket remains within the AWS network, enhancing security and reducing exposure to the public internet.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.