[S3/AWS] How to reduce S3’s cost by the gateway and interface endpoints (PrivateLink)

Theo 1 cách thông thường thì EC2 (in private subnet) accesses S3 thông qua NAT gateway và internet Gateway.

Nếu bạn thường xuyên upload and download file lớn lên S3 thì internet gateway cost bạn 1 khoản phí rất lớn.

Vậy thì solution của chúng ta sẽ là route traffic của S3 sang gateway and interface endpoints

và chúng ta sẽ có 3 case:

An S3 bucket in account A, ec2 in account A, both in the same region
An S3 bucket in account A, an ec2 instance in a different account B, but both in the same region A
An S3 bucket in account A, an ec2 instance in a different account B, and a different region B

Contents

1) An S3 bucket in account A, ec2 in account A, both in the same region

Lúc này ở account A chúng ta cần tạo 1 S3 gateway endpoint.

Bạn sẽ đi vào VPC và trong left menu rồi chọn endpoints.

Sau đó bạn click vào create endpoint.

Chúng ta sẽ giải thích các option cần thiết nào:

Phần Service bạn sẽ kiếm từ S3 thì nó ra 3 option bên dưới, Chúng ta tìm hiểu ý nghĩa của từng option.

com.amazonaws.s3-global.accesspoint

This represents the global access point for Amazon S3. Access points are named network endpoints that are attached to buckets and allow for more granular access controls. With global access points, you can create endpoints that provide secure, VPC-specific access to S3 across AWS Regions. It simplifies access management when working with data in multiple regions.

com.amazonaws.us-west-2.s3

This is the primary service endpoint for accessing Amazon S3 in the us-west-2 region. If you’re setting up a VPC endpoint for general S3 access in this region, this is the one to use. It allows your resources within the VPC to access S3 over AWS’s internal network, bypassing the need to use the public internet, which improves security and potentially reduces costs.

com.amazonaws.us-west-2.s3-outposts

Amazon S3 Outposts extends S3 to your on-premises environment, so you can store data locally and meet data residency or latency-sensitive application needs. This service endpoint is used when interacting with S3 storage that’s managed via AWS Outposts in the us-west-2 region.

com.amazonaws.us-west-2.s3express

S3 Express endpoints are specialized endpoints for high-speed access to S3 resources. They offer optimized performance for applications that require large amounts of data to be processed or transferred quickly between your VPC and S3. This is also specific to the us-west-2 region.

Đến đây thì mình chọn com.amazonaws.us-west-2.s3 và chọn option là Gateway.

Tiếp theo là phần VPC và route table.

Phần này bạn xác định được EC2 của bạn nằm trong VPC nào và nó sử dụng route table nào để đi đến s3 thì bạn chọn VPC đó và route table đó
Các đơn giản là bạn sẽ chọn VPC và chọn hết các route table trong VPC đó.

Policy thì bạn chọn Full Access điều này nghĩa là s3 gateway endpoint mà bạn tạo sẽ được access vào tất cả các S3 Bucket.

Sau khi click create thì bạn vào 1 route table và sẽ thấy điều thần kì.

Có 1 route pl-xxxx đã được tạo. nó được gọi là Managed prefix lists.
Trong Prefix Lists sẽ chứa destination là com.amazonaws.us-west-2.s3 mà bạn đã khai báo trong lúc create Endpoint Gateway.

==> KHi EC2 call đến domain s3.us-west-2.amazonaws.com nó sẽ route qua endpoint gateway.