VPC:
PublicSubnet:
EC2-Instance
IGW
NAT
Route to IGW
PrivateSubnet:
EC2-Instance
Route to NAT
Route to S3VPCEndpoint
S3VPCEndpoint
This is the network part of my CFn template:
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
CidrBlock: 10.1.0.0/16
PublicSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.1.0.0/24
MapPublicIpOnLaunch: True
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: "Raffael Public Subnet"
PrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.1.1.0/24
VpcId: !Ref VPC
Tags:
- Key: "Name"
Value: "Raffael Private Subnet"
InternetGateway:
Type: AWS::EC2::InternetGateway
DependsOn: VPC
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
PublicRouteToIGW:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PublicSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PublicSubnet
RouteTableId:
Ref: PublicRouteTable
PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId:
Ref: PrivateSubnet
RouteTableId:
Ref: PrivateRouteTable
PublicInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
PrivateInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !GetAtt PublicInstanceSecurityGroup.GroupId
Nat:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NatEIP.AllocationId
SubnetId: !Ref PublicSubnet
NatEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateRouteToNat:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref Nat
S3GatewayEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
RouteTableIds:
- !Ref PublicRouteTable
- !Ref PrivateRouteTable
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
VpcId: !Ref VPC
There are two EC2 instances - one in the private and one in the public subnet. These and the relevant Security Groups are set up in a second template.
If I SSH into the private EC2 via the public EC2 I can access S3 from the private subnet. Meaning aws s3 ls
lists all buckets.
But - this request is apparently going over the NAT. Because if I effectively deactivate it by setting the DestinationCidrBlock
of its route to 1.2.3.4/32
then aws s3 ls
is timing out:
HTTPSConnectionPool(host='s3.amazonaws.com', port=443):
Max retries exceeded with url: / (Caused by ConnectTimeoutError
(<botocore.awsrequest.AWSHTTPSConnection object at 0x7fd86b183828>,
'Connection to s3.amazonaws.com timed out. (connect timeout=60)'))
So I had a look at Why can’t I connect to an S3 bucket using a gateway VPC endpoint?:
- DNS settings in your VPC: "DNS resolution" of the VPC is set to "Enabled"
- Route table settings to Amazon S3: There is a route
- Security group outbound rules: unrestricted
- Network ACL rules: unrestricted
- Gateway VPC endpoint policy: unrestricted
- S3 bucket policy: I'm testing with
ListBucket
Any idea what I have to adjust in my template?
DependsOn: AttachGateway
into the EC2-Resource (of the public subnet). Is that what you mean? The only EIP here is not related to VPCGatewayAttachment. – RaffaelVPCGatewayAttach
specified and it worked without thisDependsOn
so I just left it out. – RaffaelDependsOn: VPCGatewayAttach
for the EIP. – Marcin