Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
      • Pod
    • Helm Chart
    • OAuth2 Proxy
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
    • MetalLB
    • Kong Gateway
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Argo Events
    • Spinnaker
    • Jenkins
    • Harbor
    • TeamCity
    • Git
      • Bitbucket
  • Coding
    • DevSecOps
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
      • Azure Cloud
    • Golang
    • Laravel
    • Python
    • Jquery & JavaScript
    • Selenium
  • Log, Monitor & Tracing
    • DataDog
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
    • NextCloud
  • Toggle search form

[S3/AWS] How to reduce S3’s cost by the gateway and interface endpoints (PrivateLink)

Posted on September 24, 2024September 24, 2024 By nim No Comments on [S3/AWS] How to reduce S3’s cost by the gateway and interface endpoints (PrivateLink)

Theo 1 cách thông thường thì EC2 (in private subnet) accesses S3 thông qua NAT gateway và internet Gateway.

Nếu bạn thường xuyên upload and download file lớn lên S3 thì internet gateway cost bạn 1 khoản phí rất lớn.

Vậy thì solution của chúng ta sẽ là route traffic của S3 sang gateway and interface endpoints

và chúng ta sẽ có 3 case:

An S3 bucket in account A, ec2 in account A, both in the same region
An S3 bucket in account A, an ec2 instance in a different account B, but both in the same region A
An S3 bucket in account A, an ec2 instance in a different account B, and a different region B

Contents

Toggle
  • 1) An S3 bucket in account A, ec2 in account A, both in the same region
  • 2) An S3 bucket in account A, an ec2 instance in a different account B, but both in the same region A

1) An S3 bucket in account A, ec2 in account A, both in the same region

Lúc này ở account A chúng ta cần tạo 1 S3 gateway endpoint.

Bạn sẽ đi vào VPC và trong left menu rồi chọn endpoints.

Sau đó bạn click vào create endpoint.

Chúng ta sẽ giải thích các option cần thiết nào:

Phần Service bạn sẽ kiếm từ S3 thì nó ra 3 option bên dưới, Chúng ta tìm hiểu ý nghĩa của từng option.

com.amazonaws.s3-global.accesspoint

  • This represents the global access point for Amazon S3. Access points are named network endpoints that are attached to buckets and allow for more granular access controls. With global access points, you can create endpoints that provide secure, VPC-specific access to S3 across AWS Regions. It simplifies access management when working with data in multiple regions.

com.amazonaws.us-west-2.s3

  • This is the primary service endpoint for accessing Amazon S3 in the us-west-2 region. If you’re setting up a VPC endpoint for general S3 access in this region, this is the one to use. It allows your resources within the VPC to access S3 over AWS’s internal network, bypassing the need to use the public internet, which improves security and potentially reduces costs.

com.amazonaws.us-west-2.s3-outposts

  • Amazon S3 Outposts extends S3 to your on-premises environment, so you can store data locally and meet data residency or latency-sensitive application needs. This service endpoint is used when interacting with S3 storage that’s managed via AWS Outposts in the us-west-2 region.

com.amazonaws.us-west-2.s3express

  • S3 Express endpoints are specialized endpoints for high-speed access to S3 resources. They offer optimized performance for applications that require large amounts of data to be processed or transferred quickly between your VPC and S3. This is also specific to the us-west-2 region.

Đến đây thì mình chọn com.amazonaws.us-west-2.s3 và chọn option là Gateway.

Tiếp theo là phần VPC và route table.

Phần này bạn xác định được EC2 của bạn nằm trong VPC nào và nó sử dụng route table nào để đi đến s3 thì bạn chọn VPC đó và route table đó
Các đơn giản là bạn sẽ chọn VPC và chọn hết các route table trong VPC đó.

Policy thì bạn chọn Full Access điều này nghĩa là s3 gateway endpoint mà bạn tạo sẽ được access vào tất cả các S3 Bucket.

Sau khi click create thì bạn vào 1 route table và sẽ thấy điều thần kì.

Có 1 route pl-xxxx đã được tạo. nó được gọi là Managed prefix lists.
Trong Prefix Lists sẽ chứa destination là com.amazonaws.us-west-2.s3 mà bạn đã khai báo trong lúc create Endpoint Gateway.

==> KHi EC2 call đến domain s3.us-west-2.amazonaws.com nó sẽ route qua endpoint gateway.

2) An S3 bucket in account A, an ec2 instance in a different account B, but both in the same region A

Với mô hình này thì chúng tạo gateway S3 endpoint ở account B nơi mà client đang located

AWS - Amazon Web Service

Post navigation

Previous Post: [S3] Try to compare S3 express One Zone with S3 standard.
Next Post: [Laravel] Debug an object in Laravel

More Related Articles

[Terraform] Error: InvalidPermission.Duplicate: the specified rule AWS - Amazon Web Service
[AWS] Demo “code build” with experiment easily on AWS AWS - Amazon Web Service
[Terraform] – Terraform Beginner – Lesson 7: Terraform Modules AWS - Amazon Web Service
Accelerating Data Access: Effective Initialization of Amazon EBS Volumes AWS - Amazon Web Service
[Golang / EKS] Accessing AWS EKS with Go: A Comprehensive Guide to Interacting with Kubernetes APIs AWS - Amazon Web Service
[AWS/ElastiCache] Configure Redis Cross-Region Replication or Global DataStore AWS - Amazon Web Service

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [WordPress] Hướng dấn gửi mail trên WordPress thông qua gmail. June 15, 2025
  • [Bitbucket] Git Clone/Pull/Push with Bitbucket through API Token. June 12, 2025
  • [Teamcity] How to transfer the value from pipeline A to pipeline B June 9, 2025
  • [Windows] Remove the process that consumes too much CPU. June 3, 2025
  • Deploying Web-Based File Managers: File Browser and KubeFileBrowser with Docker and Kubernetes June 3, 2025

Archives

  • June 2025
  • May 2025
  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
    • NextCloud
  • CI/CD
    • Argo Events
    • ArgoCD
    • ArgoWorkflows
    • Git
      • Bitbucket
    • Harbor
    • Jenkins
    • Spinnaker
    • TeamCity
  • Coding
    • DevSecOps
    • Golang
    • Jquery & JavaScript
    • Laravel
    • NextJS 14 & ReactJS & Type Script
    • Python
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • Azure Cloud
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kong Gateway
    • Kubernetes
      • Ingress
      • Pod
    • Longhorn – Storage
    • MetalLB
    • OAuth2 Proxy
    • Vault
    • VictoriaMetrics
  • Log, Monitor & Tracing
    • DataDog
    • ELK
      • Kibana
      • Logstash
    • Fluent
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2025 NimTechnology.