If I have a VPC running and some servers located in the private portion of that network that do backend processing by downloading files from amazon s3, can I access S3 internally to get at those files? Or do I have to access the public internet via NAT, download s3 files over https, and process that way?
Accessing Amazon S3 from a private VPC subnet
amazon s3amazon-vpcamazon-web-services
Related Topic
- AWS VPC – why have a private subnet at all
- Linux – How to SSH to ec2 instance in VPC private subnet via NAT server
- Nat – Amazon EC2 VPC: NAT instance download speed performance drop
- Nat – Internet access from private VPC subnet
- Aws private instance cannot resolve hostname (VPC with NAT instance)
- AWS VPC – Understanding Public and Private Subnets in VPC
- Amazon-aws: How to enable outbound internet connectivity for AWS VPC with only a private subnet
Best Answer
With a username like "The Internet", I'd expect you to know this. But since you asked...
:)
VPC's are truly private. Only traffic that you explicitly allow can transit the borders of the VPC.
So, inside a VPC, instances needing access to external resources either need to be assigned an EIP (in which case they can access external resources using AWS's infrastructure), or you need to provide a NAT host (in which case all of the traffic egresses the VPC via your own NAT).
If you opt to provide your own NAT host, remember that you'll need to disable source/dest checking on that instance as well as adding a default route to your private subnet, pointing to the NAT host.
UPDATE (2015-05-10): As of May 11th, 2015, AWS has released a "VPC Endpoint" for S3, which allows access to S3 directly from a VPC without having to go through a proxy host or NAT instance. Thankfully out of respect for the truly private nature of VPC, this feature is off by default, but can be easily turned on using the AWS Console or through their API.