Accessing Amazon S3 from a private VPC subnet
If I have a VPC running and some servers located in the private portion of that network that do backend processing by downloading files from amazon s3, can I access S3 internally to get at those files? Or do I have to access the public internet via NAT, download s3 files over https, and process that way?
Solution 1:
With a username like "The Internet", I'd expect you to know this. But since you asked...
:)
VPC's are truly private. Only traffic that you explicitly allow can transit the borders of the VPC.
So, inside a VPC, instances needing access to external resources either need to be assigned an EIP (in which case they can access external resources using AWS's infrastructure), or you need to provide a NAT host (in which case all of the traffic egresses the VPC via your own NAT).
If you opt to provide your own NAT host, remember that you'll need to disable source/dest checking on that instance as well as adding a default route to your private subnet, pointing to the NAT host.
UPDATE (2015-05-10): As of May 11th, 2015, AWS has released a "VPC Endpoint" for S3, which allows access to S3 directly from a VPC without having to go through a proxy host or NAT instance. Thankfully out of respect for the truly private nature of VPC, this feature is off by default, but can be easily turned on using the AWS Console or through their API.
Solution 2:
If your instance is in Public Subnet of VPC then:
- Either you should have public IP address assigned to your instance
- OR you should have elastic IP assigned to your instance
If your instance is in private subnet of VPC then:
- You need to have a NAT device running in public subnet. So that the instance in private subnet of VPC can access internet via NAT and access S3. You can use AWS VPC NAT or you can configure your own (google for this in case you want to set-up your own NAT)
Bottom line, to access S3, You must be able to access internet.