A VPC endpoins enables customer to privately connect to supported AWS services and VPC endpoints , using AWS Private Links. AWS VPC instance can communicate with services without Public IP address, which in turn , tells that traffic between Amazon VPC and service does not leace Amazon Network, and that is one of the best security feature, if you are using EndPoints
There are two types of VPC endpoints:
Interface endpoints:: Interface endpoints enable connectivity to services over AWS PrivateLink. These services include some AWS managed services, services hosted by other AWS customers and partners in their own Amazon VPCs (referred to as endpoint services), and supported AWS Marketplace partner services. The owner of a service is a service provider. The principal creating the interface endpoint and using that service is a service consumer.
An interface endpoint is a collection of one or more elastic network interfaces with a private IP address that serves as an entry point for traffic destined to a supported service.
Gateway endpoints :: A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list, used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3). Gateway endpoints do not enable AWS PrivateLink.
PS Note ::
Nat-gateway cost is aroung =0.045 / hr
S3 usgae cose is = 0.045/GB
So if you are using AWS EndPoints, then you are actally doing a Cost Saving in your project.
Here is another analogy,
To Enter house of your friend , you need to travel from road and enter your friends house from Door. But Your Friend is very good and always want to remain connected, so he created an underground tunnel that connect your house your friends house, that to without opening door, so now you don’t need to ravel via raod and enter from Door, but you can use that private tunnel directly and easliy access your friend without opening the door
Implemetation :
step 1) Create a VPC Network as showed to you previously. you can use range 10.0.0.0/16 and select 1 public and 1 private subnet
PS * , while creating the VPC from GUI , you need to make “ EndPoint = None “
Step 2 ) Create 2 EC2 Instance, and one EC2 will use Public Subnet and another EC2 instance will use the Private subnet of above created VPC.
Step 3 ) Create an s3 Buket using below option
ACL Enabled ✅
Block All Public Access (Uncheck this)
Once this is done, click on → create Bucket → And Upload an image in the bucket
Once Image is uploaded, the do below changes in the image file that you uploaded
Else you will not be able to download the image
Step 4 ) Now ssh to Public Box and try Downloding the Image from S3 bucket , it should be successfull
wget <image url in s3>
Also ssh in to from Private EC2 , while you are in Public Ec2 box, first you need to copy the pem file & give proper permission (chmod 400 <filename.pem> and ssh from there and try to wget the image same way , but you will not be able to downlod it
Step 4 ) Create a NAT Gateway
VPC → Nat Gateway → Select Public Subnet while creating the Nat Gateway
Once this is done you need to make changes in Route Table of Private Subnet and save the changes, Status should come as Active , then only it will work
Now try to Dowload the image from s3 in Private EC2 Instance, it will work. But this is straight forward way , where traffic is going to Public Intenet , as per above given analogy, its going to your friend home in straight way, which will incurr more cost and there is security threat as well
Implementing Endpoint :: ( Gateway EndPoint)
Step 5 ) Delete the preivosly created NAT Gateway , Elastic IP, as it will incurr cost and Got VPC Dashbaord
VPC → Endpoint →
Give proper name → Select AWS Service → search S3 & Type should be Gateway → Select proper VPC → Select Private Subnet → Policy “Full access” → Create Endpoint
Once done, go to Route Table → Private Route of your Subnet, you will see the Endpoint is associate with it
Now you can access the S3 Image directly from Private EC2 Instance, without any issue.
Implementation Endpoint :: (Interface Endpoint )
Step 6 ) Firstlry got To IAM → Role → Craete Role → EC2 → Select below 2 Policy → Create Role
And Attach the Role to both Public and Private Ec2 Instance and Reboot them
Step 7 ) Now Go to AWS System Manager → Session Manager → Start Session
You will see only Public Box there,
Private Boxes should also be visible there, to make them visible follow below steps
step 8 ) We need to create 3 EndPonts (For EC2messages, ssmmessage, ssm)
Click on Create Endpoints → name = Ec2message → service = ec2message ( Select with type= interace) → VPC (select your vpc ) → select Proper Availbaility zone which has Private Subnet init → Select Security Group of that Subnet → create Endpoint
Click on Create Endpoints → name = ssmmessage → service = ssmmessage ( Select with type= interace) → VPC (select your vpc ) → select Proper Availbaility zone which has Private Subnet init → Select Security Group of that Subnet → create Endpoint
Click on Create Endpoints → name = ssm → service = ssm ( Select with type= interace) → VPC (select your vpc ) → select Proper Availbaility zone which has Private Subnet init → Select Security Group of that Subnet → create Endpoint
Now Reboot the instance
Step 9) In step 7 you were only able to see public Ec2 instance, but now you will be able to see both Public and Private Ec2 instance
And from here we will select Private session and access Image from S3 bucket
Thanks for reading till here please try to implement it !!!