This lab walks you through the steps to create an endpoint for Amazon S3 and access with EC2 Instance in Private subnet.
EC2 instances of private subnet will be accessible from a bastion host or so-called an EC2 instance in a public subnet.
Duration: 90 minutes
AWS Region: US East (N. Virginia)
A bastion host is a system that is exposed to the internet.
In terms of security, Bastion is the only server that is exposed to the internet and should be highly protective of malicious attacks.
A Bastion host is also known as a Jump Box. It is a computer that acts like a proxy server and that allows the client machine to connect to the remote server.
It usually resides outside the firewall.
In this lab, we are using Bastion instance as a Public instance to SSH into a Private instance.
VPC Endpoint allows us to securely connect your VPC and supported AWS services powered by AWS PrivateLink. AWS PrivateLink is a service that allows you to access AWS services by using private IP addresses. In this case, traffic does not leave Amazon’s network.
VPC endpoint does not require a NAT Gateway, NAT instance, Internet Gateway, or any VPN services to access AWS Services.
There are two types of VPC endpoints: Gateway and Interface.
VPC endpoint for S3 comes under Gateway endpoint.
When you create a VPC endpoint for S3, it asks for the Route table, then it adds the Prefix list to that route table. You can’t modify/delete the entry present in the route table, created by Endpoint.
Launching Lab Environment
Create a VPC
Create and attach an Internet Gateway with custom VPC
Create a Public and Private Subnet
Configure the Public subnet to enable auto-assign public IPv4 address
Add an entry to the Internet (0.0.0.0/0) in the Main Route table.
Create a Route Table for the Private subnet
Associate the Private subnet with the custom Route table i.e. RT for Private subnet
Create security groups
Create a Bastion Host (Publicly accessible EC2 Instance)
Create an Endpoint instance (Privately accessible EC2 instance)
SSH into Endpoint instance (Privately accessible) through Bastion host
Create a VPC endpoint for S3, attach it to the Private subnet's Route table.
List all the S3 Bucket and its objects