← Back to Labs
Advanced01:30:00

Access S3 from Private EC2 instance using VPC Endpoint

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10Task 11Task 12Task 13Task 14
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page,
  3. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  4. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button
  5. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Create a VPC

↑ Top
  1. Make sure you are in the N.Virginia Region.
  2. Navigate to VPC by clicking on the Services menu at the top, then click on VPC in the Network and Content Delivery section.
  3. To create a VPC click on Your VPCs the present in the VIRTUAL PRIVATE CLOUD section on the left sidebar.
  4. Create a new VPC by clicking on the Create VPC button.
  5. Task 2: Create a VPC
  6. Select VPC only.
  7. Name tag - optional:Enter MyVPC
  8. IPv4 CIDR block: Enter 192.168.0.0/26
  9. IPv6 CIDR block: No IPv6 CIDR block
  10. Tenancy: Default
  11. Click on the Create VPC button to create the MyVPC.
  12. VPC is now created.
  13. Task 2: Create a VPC
Task 3

Task 3: Create and attach an Internet Gateway with custom VPC

↑ Top
  1. By default, instances that are launched in a VPC cannot communicate with the Internet. To enable Internet access, an Internet gateway needed to be attached to the VPC.
  2. Click on Internet Gateways from the left menu and click on Create internet gateway.
  3. Task 3: Create and attach an Internet Gateway with custom VPC
  4. Name Tag : Enter MyInternetGateway
  5. Click on Create internet gateway.
  6. Select the Internet gateway you created from the list.
  7. Click on Actions.
  8. Select the Attach to VPC.
  9. Task 3: Create and attach an Internet Gateway with custom VPC
  10. Available VPCs: Select the MyVPC
  11. Task 3: Create and attach an Internet Gateway with custom VPC
  12. And click on the Attach internet gateway button.
  13. The Internet gateway is now attached with MyVPC.
  14. Task 3: Create and attach an Internet Gateway with custom VPC
Task 4

Task 4: Create a Public and Private Subnet

↑ Top
  1. To create a subnet click on Subnets the present in the VIRTUAL PRIVATE CLOUD section on the left sidebar.
  2. Click on the Create Subnet button.
  3. Task 4: Create a Public and Private Subnet
  4. In the VPC ID, select MyVPC.
  5. Task 4: Create a Public and Private Subnet
  6. Create the first subnet, you will use this subnet to launch public instances, this subnet will be associated with the main route table of the VPC:
  7. Select the MyVPC from the drop-down.
  8. Subnet name: Enter Public subnet
  9. Availability Zone: Select US East (N. Virginia) / us-east-1a
  10. IPV4 CIDR block: Enter 192.168.0.1/27
  11. Click on the Create subnet button to create the subnet.
  12. Task 4: Create a Public and Private Subnet
  13. Create another subnet, click on the Create subnet button.
  14. The second will be called Private subnet, you will use this subnet to launch private instances, this subnet will be associated with a custom route table of the same VPC:
  15. Select the MyVPC from the drop-down.
  16. Subnet name: Enter Private subnet
  17. Availability Zone: Select US East (N. Virginia) / us-east-1b
  18. IPV4 CIDR block: Enter 192.168.0.32/27
  19. Finally, click on the Create Subnet button.
  20. Both the subnets are now created.
  21. Task 4: Create a Public and Private Subnet
Task 5

Task 5: Configure the Public subnet to enable auto-assign public IPv4 address

↑ Top
  1. To modify the auto-assign IP settings for the Public subnet, do the following: Select the Public subnet Click on the Actions button Choose Edit subnet settings from the options.
  2. To modify the auto-assign IP settings for the Public subnet, do the following:
  3. Select the Public subnet
  4. Click on the Actions button
  5. Choose Edit subnet settings from the options.
  6. Check the option Enable auto-assign public IPv4 address under Auto-assign IP settings.
  7. Task 5: Configure the Public subnet to enable auto-assign public IPv4 address
  8. Click on Save button and modification is done now.
  9. Task 5: Configure the Public subnet to enable auto-assign public IPv4 address
Task 6

Task 6: Create a Route Table for the Public subnet

↑ Top
  1. In this task, we are going to create public route tables and associate it with the subnet.
  2. Go to Route Tables from the left menu and click on Create route table button.Name: Enter PublicRouteTableVPC: Select MyVPC from the list.Click on Create route table button.
  3. Go to Route Tables from the left menu and click on Create route table button.
  4. Name: Enter PublicRouteTable
  5. VPC: Select MyVPC from the list.
  6. Click on Create route table button.
  7. Task 6: Create a Route Table for the Public subnet
  8. Repeat the same steps to create a route table for the Private subnet.Name: Enter PrivateRouteTableVPC: Select MyVPC from the list.Click on Create route table button.
  9. Repeat the same steps to create a route table for the Private subnet.
  10. Name: Enter PrivateRouteTable
  11. VPC: Select MyVPC from the list.
  12. Click on Create route table button.
  13. Now we will associate the subnets to the route tables.
  14. Select the PublicRouteTable and go to the Subnet Associations tab.Click on Edit subnet associations.Select MyPublicSubnet from the list.Click on Save associations button.
  15. Select the PublicRouteTable and go to the Subnet Associations tab.
  16. Click on Edit subnet associations.
  17. Select MyPublicSubnet from the list.
  18. Click on Save associations button.
  19. Task 6: Create a Route Table for the Public subnet
  20. Select the PrivateRouteTable and go to the Subnet Associations tab.Click on Edit subnet associations.Select MyPrivateSubnet from the list.Click on Save associations button.
  21. Select the PrivateRouteTable and go to the Subnet Associations tab.
  22. Click on Edit subnet associations.
  23. Select MyPrivateSubnet from the list.
  24. Click on Save associations button.
  25. Make sure not to associate any subnets with the Main Route Table.
  26. PublicRouteTable: Add a route to allow Internet traffic to the VPC.Select PublicRouteTable.Go to Routes tab, click on Edit routes and on the next page, click on Add route button.Specify the following values: Destination: Enter 0.0.0.0/0Target: Select Internet Gateway from the dropdown menu to select MyInternetGateway.Click on Save changes button.
  27. PublicRouteTable: Add a route to allow Internet traffic to the VPC.
  28. Select PublicRouteTable.
  29. Go to Routes tab, click on Edit routes and on the next page, click on Add route button.
  30. Specify the following values: Destination: Enter 0.0.0.0/0Target: Select Internet Gateway from the dropdown menu to select MyInternetGateway.Click on Save changes button.
  31. Specify the following values:
  32. Destination: Enter 0.0.0.0/0
  33. Target: Select Internet Gateway from the dropdown menu to select MyInternetGateway.
  34. Click on Save changes button.
Task 7

Task 7: Create Security groups

↑ Top
  1. In this lab, we will create two security groups, the first one will be used for Bastion host and the second one for private instance having access to VPC Endpoint for S3.
  2. To get started with creating security groups, click on the Security groups , present in the SECURITY section in the left sidebar.
  3. Click on the Create Security group button
  4. Fill in the below details under Basic details:
  5. Enter Security group name as Bastion-SG
  6. Enter Description as Security group for the bastion host
  7. Select the MyVPC under the VPC field.
  8. Task 7: Create Security groups
  9. By default, no inbound rule will be allowed, and when you check in the outbound rules, there is only one rule present that has a Type with All traffic because Security groups are Stateful in nature, when inbound is allowed outbound is also allowed.
  10. To add the Inbound rules for the same, click on the Add rule button.
  11. We will add 3 rules for the Bastion host security group i.e. SSH, HTTP, and HTTPS.
  12. For the first rule, Select the Type as SSH, Source as Anywhere-IPv4 and enter 0.0.0.0/0
  13. For the second rule, click on the Add rule button. Select the Type as HTTP, Source as Anywhere-IPv4 and enter 0.0.0.0/0
  14. For the third rule, click on the Add rule button. Select the Type as HTTPS, Source as Anywhere-IPv4 and enter 0.0.0.0/0
  15. Finally, click on the Create Security group button.
  16. The security group for the Bastion host is now created.
  17. Task 7: Create Security groups
  18. Click on the Security groups button, present in the SECURITY section in the left sidebar.
  19. To create the second security group, click on the Create Security Group button.
  20. Fill in the below details under Basic details:
  21. Enter Security group name as Endpoint-SG
  22. Enter Description as Security group for S3 endpoint
  23. Select the MyVPC under the VPC field.
  24. Task 7: Create Security groups
  25. To add the Inbound rules for the same, click on the Add rule button.
  26. We will add 1 rule for the S3 endpoint security group i.e. SSH only. But here our source will be Bastion host security group,
  27. you will select the ID of Bastion-SG security group.
  28. For the rule, select the Type as SSH, Source as Custom, and type Bastion, Bastion hosts security group will be shown, select that Security group.
  29. Task 7: Create Security groups
  30. Finally, click on the Create Security group button.
  31. The security group for the Bastion host is now created. And, it will be listed there.
  32. Task 7: Create Security groups
Task 8

Task 8: Create a Bastion host (Publicly accessible EC2 Instance)

↑ Top
  1. Navigate to EC2 by clicking on the Services menu at the top, then click on EC2 in the Compute section.
  2. Navigate to Instances on the left panel and click on Launch instances.
  3. Task 8: Create a Bastion host (Publicly accessible EC2 Instance)
  4. Name : Enter Bastion-host.
  5. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 AMI in the search box and click on the Select button
  6. Task 8: Create a Bastion host (Publicly accessible EC2 Instance)
  7. Note: if there are two AMI's present for Amazon Linux 2023 AMI, choose kernel-6.1 AMI.
  8. For Instance Type: select t2.micro
  9. Task 8: Create a Bastion host (Publicly accessible EC2 Instance)
  10. For Key pair: Select Create a new key pair Button
  11. Key pair name: WhizKey
  12. Key pair type: RSA
  13. Private key file format: .pem
  14. Select Create key pair Button.
  15. Task 8: Create a Bastion host (Publicly accessible EC2 Instance)
  16. In Network Settings Click on Edit Button:
  17. VPC: Choose MyVPC
  18. Subnet : Choose Public Subnet
  19. Auto-assign public IP: Enable
  20. Select existing security group
  21. Security group name : Choose Bastion-SG
  22. Task 8: Create a Bastion host (Publicly accessible EC2 Instance)
  23. Keep rest thing default and Click on Launch Instance button.
  24. Select View all Instances to view Instance you created
  25. Launch Status: Your instance is now launching, Click on the instance ID and wait for complete initialization of the instance till status changes to Running.
Task 9

Task 9: Create an Endpoint instance (Privately accessible EC2 instance)

↑ Top
  1. Navigate to EC2 by clicking on the Services menu at the top, then click on EC2 in the Compute section.
  2. Navigate to Instances on the left panel and click on Launch instances.
  3. Name : Enter Endpoint-instance.
  4. For Amazon Machine Image (AMI): Search for Amazon Linux 2023 AMI in the search box and click on the Select button.
  5. Task 9: Create an Endpoint instance (Privately accessible EC2 instance)
  6. Note: if there are two AMI's present for Amazon Linux 2023 AMI, choose kernel-6.1 AMI.
  7. For Instance Type: select t2.micro
  8. Task 9: Create an Endpoint instance (Privately accessible EC2 instance)
  9. For Key pair: Select the key pair made during the previous task.
  10. In Network Settings Click on Edit Button:
  11. VPC: Choose MyVPC
  12. Subnet : Private Subnet
  13. Select existing security group
  14. Security group name : Choose Endpoint-SG
  15. Task 9: Create an Endpoint instance (Privately accessible EC2 instance)
  16. Keep rest thing Default and Click on Launch Instance button.
  17. Select View all Instances to view Instance you created
  18. Launch Status: Your instance is now launching, Click on the instance ID and wait for complete initialization of the instance till status changes to Running.
  19. Navigate to Instances and wait for 1-2 minutes (until the Endpoint-instance's status changes from pending to running state)
  20. Task 9: Create an Endpoint instance (Privately accessible EC2 instance)
Task 10

Task 10: SSH into Endpoint instance (Privately accessible) through Bastion host

↑ Top
  1. SSH into the Bastion instance using the Bastion PEM key: WhizKey.pem
  2. To SSH into Endpoint instance via the Bastion instance, we need the WhizKey.pem to be present on the Bastion instance.
  3. Open the WhizKey.pem file on your local system and then copy the text content.
  4. Navigate to the Bastion Instance and create a file named WhizKey.pem using the below command:
  5. Press i and paste the content of WhizKey.pem. Save it by pressing Esc key and type :wq and hit Enter.
  6. Make sure you have changed the permission of the key file to 400. You can change the permission using the below command:
  7. Task 10: SSH into Endpoint instance (Privately accessible) through Bastion host
  8. Now you can log into the web servers using the private key copied to the bastion server with the help of the below commands.
  9. Note: You don't have public IP's for the Endpoint instance since we created them in a private subnet.
  10. Syntax : ssh -i WhizKey.pem ec2-user@<Endpoint instance's Private IP>
  11. Example: ssh -i WhizKey.pem [email protected].
  12. When asked for confirmation type: yes
  13. Task 10: SSH into Endpoint instance (Privately accessible) through Bastion host
  14. Enter the following command aws configure
  15. Access Key: Paste the access key provided to you
  16. Secret Key: Paste the secret key provided to you
  17. Default region name: us-east-1
  18. Default output-format: Enter [ENTER]
  19. Note: Though the assigned IAM role is having access for S3 Read, listing the bucket through AWS CLI command got failed, saying, connection timeout on S3's endpoint.
  20. Task 10: SSH into Endpoint instance (Privately accessible) through Bastion host
  21. As, this instance's security group is only allowed to do SSH, running any other command, will fail.
  22. Let's add the permission to access the S3 endpoints using the VPC Endpoint for S3.
Task 11

Task 11: Create a VPC Endpoint for S3, attach it to the Private subnet's Route table

↑ Top
  1. Navigate to VPC by clicking on the Services menu at the top, then click on VPC in the Networking and Content Delivery section.
  2. Click on Endpoints present under PrivateLink and Lattice.
  3. Click on the Create endpoints button.
  4. Task 11: Create a VPC Endpoint for S3, attach it to the Private subnet's Route table
  5. Make sure the Service category is selected for AWS services. In the Service name search bar, type s3, and press enter
  6. Task 11: Create a VPC Endpoint for S3, attach it to the Private subnet's Route table
  7. The endpoint of Type, Gateway with Service name as com.amazonaws.us-east-1.s3 will be listed.
  8. Change the VPC, and select MyVPC.
  9. Task 11: Create a VPC Endpoint for S3, attach it to the Private subnet's Route table
  10. Check the option for Route Table having name as PrivateRouteTable.
  11. Finally, click on the Create endpoint button.
  12. An endpoint will be created.
  13. Click on the Close button, and within a few moments, you will see the endpoint will be listed.
  14. Task 11: Create a VPC Endpoint for S3, attach it to the Private subnet's Route table
  15. (Optional) To check whether the endpoint is associated with the custom route table (RT for Private subnet) or not. 12. Go to the Route tables, Select the custom route table and click on the Routes options below, you will see an entry of S3.
Task 12

Task 12: List all the S3 bucket and it's objects

↑ Top
  1. Now SSH into the Endpoint instance from your bastion instance as mentioned in task 10.Enter aws configure. Access Key: Paste the access key provided to you. Secret Key: Paste the secret key provided to you.
  2. Now SSH into the Endpoint instance from your bastion instance as mentioned in task 10.
  3. Enter aws configure.
  4. Access Key: Paste the access key provided to you.
  5. Secret Key: Paste the secret key provided to you.
  6. Task 12: List all the S3 bucket and it's objects
  7. Default region name: us-east-1
  8. Default output-format: Enter [ENTER]
  9. List all the bucket's using the following AWS CLI command:
  10. Task 12: List all the S3 bucket and it's objects
  11. List the objects of the S3 bucket starting with name lab-bucket..
  12. Replace the S3 bucket name for the below command
  13. VPC Endpoint Service enables private connectivity, you can avoid data transfer charges associated with public internet traffic. By utilizing VPC endpoints, you can significantly reduce data transfer costs, especially if you have large volumes of data flowing between your VPC and AWS services.
Task 13

Task 13: Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the Right side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 13: Validation Test
Task 14

Task 14: Delete AWS Resources

↑ Top
  1. Navigate to VPC by clicking on the Services menu at the top, then click on VPC in the Networking and Content Delivery section.
  2. Click on Endpoints present in the VIRTUAL PRIVATE CLOUD section on the left sidebar.
  3. To delete the VPC endpoint, perform the following tasks: Select the Endpoint, Click on the Actions button, Choose the option of Delete VPC endpoints
  4. To delete the VPC endpoint, perform the following tasks:
  5. Select the Endpoint,
  6. Click on the Actions button,
  7. Choose the option of Delete VPC endpoints
  8. Task 14: Delete AWS Resources
  9. Confirm the deletion by typing delete. 5. The endpoint will be deleted immediately.
  10. Navigate to EC2 by clicking on the Services menu at the top, then click on EC2 in the Compute section.
  11. Click on Instances on the left panel.
  12. EC2 Instances will be listed here.
  13. Task 14: Delete AWS Resources
  14. To terminate both the present instances, perform the following tasks:
  15. Select both the EC2 instances
  16. Click on the Instance state
  17. Choose to Terminate instance
  18. Task 14: Delete AWS Resources
  19. To confirm the termination of both the selected EC2 instance, click on the Terminate button.
  20. The instance will be terminated in a minute or so.
  21. Task 14: Delete AWS Resources
  22. We have launched two EC2 instances i.e. Bastion instance and Endpoint instance. We were able to SSH into the Endpoint instance via Bastion Instance successfully.
  23. We have created a VPC endpoint for S3 to securely access S3 Buckets and their objects without going to the internet i.e. within Amazon's network through the Endpoint instance.
  24. We tested the VPC endpoint for S3 from the private instance.
  25. Sign out of the AWS Account.
  26. You have successfully completed the lab.
  27. Once you have completed the steps, click on End Lab from the lab console.
← Back to Labs