VPC endpoints

If the VPC and S3 bucket are in the same region- is there a need to create a VPC endpoint for S3? or, AWS by default uses an internal route to connect t S3 without going outside of the network?
  • post-author-pic
    Chris G

    I'm no AWS expert, but I think that's the whole point of endpoints, as per the course.

    The S3 endpoint is a PUBLIC endpoint, therefore traffic from your VPC will try to route via the internet to get to that endpoint. It will be a public IP.

    When you create an S3 VPC endpoint, it will be an IP available directly from your VPC, so routing will be internal and will not egress to the internet.

  • post-author-pic
    Anthony J

    This is a great question. Chris, your answer is a bit off so let me explain.

    When you have a VPC you have "isolated resources". This means, if there is no route out of the internal VPC then it cannot communicate with anything that does not belong to a VPC. For example, s3 buckets do not belong to a vpc, only compute resources do. So for your ec2 instance to communicate with an s3 bucket, it would need to have a NAT gateway or public IP address on a subnet that has an internet gateway attached to it. This creates a few issues, #1 managing of those resources and #2 the traffic will route over the internet and public routers which is going to obviously be slower than internal routing.

    So if you have EC2 instances and you want it to communicate directly with an s3 bucket without managing those resources or going over the open internet, then you would use an S3 endpoint for the VPC which creates a private LINK to S3 and your VPC.


    1. Speed
    2. Less managing of resources
    3. Security

  • post-author-pic

    Thanks, Anthony and Chris. 

     @anthony  makes sense. so, to clarify - it doesn't matter whether your VPC and bucket are in the same or different region, it's a good practice and due to above benefits, a private link i.e. VPC-S3 endpoint should be created.

Looking For Team Training?

Learn More