Creating a VPC Endpoint – Configuring Infrastructure Security – SCS-C02 Study Guide

Creating a VPC Endpoint

Generally, traffic traveling to the Amazon S3 service would use the public internet to get to its destination. If this had originated from an EC2 instance from within your VPC, then this route could take an IGW if the instance was in a public subnet or a NAT gateway if it was in a private subnet.

If you want to keep your traffic more secure and don’t want that traffic to traverse over the public internet, you must add a VPC endpoint:

  1. Start by opening the Amazon Management Console to the VPC service at https://packt.link/uCREd.
  2. On the left-hand side menu, click on Endpoints.

Figure 10.28: The AWS VPC menu

  • Once the Endpoints screen appears on the main window, click on the Create endpoint button located at the top-right side.
  • Now, on the Create endpoint screen, scroll down to the box labeled Endpoint settings. For the Name tag, name your endpoint chapt10-s3 and select AWS services in the Service category section if this is not already selected.

Figure 10.29: The Endpoint settings screen

  • Scroll down until you reach the Services section. Select the item labeled com.amazonaws.s3-global.accesspoint.

Figure 10.30: The Endpoint Services screen

  • Scroll down to the box labeled VPC. Choose the VPC you created earlier, named My VPC. If you didn’t create the VPC earlier, you could choose your default VPC for this example, which does not have a name.

Figure 10.31: The VPC screen

  • Once you have your VPC selected, scroll down to the box labeled Subnets. Select any available subnets, and then in the drop-down box, choose the private subnets if available.

Figure 10.32: The Subnets selection screen

  • Scroll down to Security groups and select any security groups that will be attached to your instances, Lambda functions, or other resources that would need access to the S3 buckets from the endpoint.

Figure 10.33: The Security group selection screen

  • Scroll down to the Policy section. Keep the policy setting set as Full access.

Figure 10.34: The Policy selection screen

  1. Now, scroll down to the bottom of the page and click on the button labeled Create endpoint.

You now have an endpoint created for direct communication with your S3 buckets without having to traverse the public internet.

Summary

In this chapter, you reviewed the foundational networking component of the AWS cloud, the VPC. You learned how to create a VPC network using a CloudFormation template with both a public and private subnet and then attach an IGW for internet connectivity. After creation, you explored the different components of the VPC to become familiar with them.

You then reviewed the different network connectivity options available for the VPCs in the account you are working on as well as other accounts and then the network traffic back to data centers that need to connect to AWS resources. These included options for connecting over public networks, such as VPNs to keep your transmissions secure and encrypted, along with Direct Connect, peering, and endpoints to keep your transmissions off the public internet.

Chapter 11, Securing EC2 Instances, will discuss how to secure EC2 instances when you are inside the perimeter of your network.