Bootstrap FreeKB - Amazon Web Services (AWS) - Create Virtual Private Cloud (VPC) Gateway Endpoint using the AWS CLI
Amazon Web Services (AWS) - Create Virtual Private Cloud (VPC) Gateway Endpoint using the AWS CLI


This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

Virtual Private Cloud (VPC) Endpoints are used for communication between different AWS Services in one of your Virtual Private Clouds (VPC). The communication only occurs within Amazon, within your VPC - it never goes outside the Amazon network, never goes outside of your VPC, never gets onto the Internet. In this way, this is good from a privacy and security perspective. For example, a Virtual Private Cloud (VPC) Endpoint can be created for services such as

  • API Gateway Execute API - com.amazonaws.us-east-1.execute-api
  • S3 Bucket - com.amazonaws.us-east-1.s3
  • Simple Notification Service (SNS) - com.amazonaws.us-east-1.sns
  • Simple Queue Service (SQS) - com.amazonaws.us-east-1.sqs
  • et cetera

There are a few different type of VPC Endpoints

  • Interface Endpoint - uses AWS PrivateLink and an Elastic Network Interface (ENI) as the entrypoint for the traffic
  • Gateway Endpoint (this article) - Create an entry in your Route Table
  • Gateway Load Balancer Endpoint

Be aware that if you are concerned about cost, VPC Endpoints may be a bit too pricey. I created a few VPC Endpoints because I needed to call a few different AWS Services such as S3 (for S3 Buckets) and Secrets Manager (to get the value is some secrets) and STS (to assume role) and so on, and you have to create a separate VPC Endpoints for each service, and after only 5 days the cost for the VPC Endpoints was $30.00, much too rich for my blood. I ended up instead going with an EC2 NAT Instance which would only cost me like $4 per month (or less than $2 per month as a Reserved Instance).

 

Let's say you have an EC2 instance in a subnet that is associated with a Route Table that has only local routes. In other words, this EC2 instance is private, and traffic cannot leave the Amazon network, traffic cannot get onto the Internet. 

 

Let's say you want to be able to use the aws s3api list-buckets command to get the list of your S3 Buckets. In this scenario, the AWS cli will hang and eventually time out, since the request cannot be made to https://s3.us-east-1.amazonaws.com/.

~]$ aws s3api list-buckets

 

A Gateway Endpoint can be used to create a route in the Route Table that allows requests to be made to the com.amazonaws.us-east-1.s3 service, which will allow the aws s3api list-buckets command to return a response.

The aws ec2 describe-route-tables command can be used to list your Route Tables.

~]$ aws ec2 describe-route-tables
[
    {
        "Associations": [
            {
                "AssociationState": {
                    "State": "associated"
                },
                "RouteTableAssociationId": "rtbassoc-03d88b8f543d22956",
                "Main": true,
                "RouteTableId": "rtb-0587dc78ea0f59472"
            }
        ],
        "RouteTableId": "rtb-0587dc78ea0f59472",
        "VpcId": "vpc-014d2fcfa335d3c01",
        "PropagatingVgws": [],
        "Tags": [
            {
                "Value": "ManagedByAmazonFSx",
                "Key": "AmazonFSx"
            }
        ],
        "Routes": [
            {
                "GatewayId": "local",
                "DestinationCidrBlock": "172.31.0.0/16",
                "State": "active",
                "Origin": "CreateRouteTable"
            },
            {
                "GatewayId": "igw-020c1f7ec148352b3",
                "DestinationCidrBlock": "0.0.0.0/0",
                "State": "active",
                "Origin": "CreateRoute"
            }
        ],
        "OwnerId": "123456789012"
    }
]

 

The aws ec2 create-vpc-endpoint command can be used to create the Gateway Endpoint. By default, this will add the Gateway Endpoint Route to your Route Table.

aws ec2 create-vpc-endpoint \
--vpc-id vpc-0a9d4cb29e2748444 \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-055d28b0a8be465fa \
--tag-specifications 'ResourceType=vpc-endpoint,Tags=[{Key=service,Value=com.amazonaws.us-east-1.s3}]'

 

Now the Route Table should have the Gateway Endpoint.

 

And the aws s3api list-buckets command should return a response.

~]$ aws s3api list-buckets
{
    "Buckets": [
        {
            "Name": "my-bucket-abcdefg",
            "CreationDate": "2023-06-02T02:22:19+00:00"
        }
    ],
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "ab0e0a41234567893a77c82240d5abcdc41ff11c123456789c777a5123443743"
    }
}

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 079b87 in the box below so that we can be sure you are a human.