patternMinor
Access S3 files from Datacenter over VPN to VPC
Viewed 0 times
vpndatacentervpcfilesfromoveraccess
Problem
I am trying to access S3 files from non-EC2 machine. non-EC2 machine is connected to VPC over VPN, also can reach to other hosts in VPC.
I am able to download (
Anyone know what I need to do to get this working ?
- Created VPC Endpoint for S3
- Main routing table of VPC has route for S3 pointing to VPCe (
pl-68a54001 (com.amazonaws.us-west-2.s3, 54.231.160.0/19, 52.218.128.0/17, 52.92.32.0/22))
- S3 bucket has Static website hosting enabled
- S3 bucket has policy for accessing files from VPCe (https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html)
I am able to download (
wget) file from S3 to EC2 in the VPC. When I try to do same (wget) from non-EC2 (which is in Data Centre), I get timeout.Anyone know what I need to do to get this working ?
Solution
You need to use...
...because S3 endpoints are not designed to be used across VPN connections. They are only accessible from instances in the VPC where they exist.
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations
- the Internet, from your data center, to access S3 directly (not via the endpoint) or
- an AWS DirectConnect connection to access S3 directly (not via the endpoint) or
- an HTTP proxy server inside this VPC to access S3 (via the endpoint)
...because S3 endpoints are not designed to be used across VPN connections. They are only accessible from instances in the VPC where they exist.
Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations
Context
StackExchange DevOps Q#5744, answer score: 4
Revisions (0)
No revisions yet.