| ▲ | otterley 5 days ago |
| Gateway endpoints are free. Network endpoints (which are basically AWS-managed ENIs that can tunnel through VPC boundaries) are not free. S3 can use either, and we recommend establishing VPC Gateway endpoints by default whenever you need S3 access. (Disclaimer: I work for AWS, opinions are my own.) |
|
| ▲ | JoshTriplett 5 days ago | parent | next [-] |
| That's fascinating! I hadn't found that in the documentation; everything seems to steer people towards PrivateLink, not gateway endpoints. Would you recommend using VPC Gateway even on a public VPC that has an Internet gateway (note: not a NAT gateway)? Or only on a private VPC or one with a NAT gateway? |
| |
| ▲ | otterley 5 days ago | parent | next [-] | | I recommend S3 Gateways for all VPCs that need to access S3, even those that already have routes to the Internet. Plus they eliminate the need for NAT Gateway traversal for requests that originate from private subnets. | | |
| ▲ | JoshTriplett 5 days ago | parent [-] | | > I recommend S3 Gateways for all VPCs that need to access S3, even those that already have routes to the Internet. Fascinating. What's the advantage of doing that? | | |
| ▲ | donavanm 5 days ago | parent [-] | | It's a much more direct/efficient connection from the EC2 instance to the S3 storage servers through the virtual network layer. It reduces the network path/length through the AWS network _and_ removes the number of virtual network functions/servers (ala "LB") that your connections will traverse. | | |
| ▲ | JoshTriplett 4 days ago | parent [-] | | That's helpful to know, thank you! I'll take a look at that and see if it improves S3 performance. |
|
|
| |
| ▲ | paulddraper 5 days ago | parent | prev | next [-] | | > everything seems to steer people towards PrivateLink, not gateway endpoints Gateway endpoints only work for some things. | |
| ▲ | Hikikomori 5 days ago | parent | prev [-] | | Privatelink endpoints can be of type gateway or interface. Only gateway is free and only S3 and dynamodb supports it. |
|
|
| ▲ | kbolino 5 days ago | parent | prev [-] |
| Fair point, and valid for S3 (the topic at hand) and DynamoDB. Other AWS services, though, don't support gateway endpoints. |
| |
| ▲ | mdaniel 5 days ago | parent [-] | | https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-e... ~~I get the impression there are several others, too, but that one is of especial interest to me~~ Wowzers, they really are much better now: aws --region us-east-1 ec2 describe-vpc-endpoint-services | jq '.ServiceNames|length'
459
If you're saying "other services should offer VPC Endpoints," I am 100% on-board. One should never have to traverse the Internet to contact any AWS control plane | | |
|
