Skip to content

How to Extend VPC Interface Endpoints beyond AWS

A VPC Endpoint allows you to establish a connection between your Virtual Private Cloud (VPC) and AWS services, without the need for an internet gateway, NAT device, VPN, or an AWS Direct Connect connection. Instances in your VPC don't use public IP addresses to communicate with AWS services; instead, they use VPC Endpoints for this purpose.

There are two types of VPC endpoints:

  • VPC Gateway Endpoint: This acts as a gateway in your route table that directs traffic for a specified AWS service.

  • VPC Interface Endpoint: This creates a network interface within the VPC's IP range, enabling communication with AWS services. It can also be useful with an AWS Direct Connect setup, routing traffic to AWS services via VPC Interface Endpoint.

Note

For a deeper understanding of AWS VPC Endpoints, we recommend reading the article Enhanced Connectivity: Navigating the Benefits of AWS VPC Endpoints.

This tutorial focuses on using VPC Interface Endpoints to create a private connection from a private subnet to Amazon S3. We'll then extend the S3 private endpoint to server-01 located in Private Data Center using n2x-node-01 instance deployed in the public subnet and n2x.io to create a virtual private network connection. This allows us to mount the Amazon S3 bucket as a filesystem from server-01.

Here is the high-level overview of tutorial setup architecture:

Diagram

In our setup, we will be using the following components:

  • Interface VPC endpoint to connect to services powered by AWS PrivateLink. For more info please visit the AWS Documentation

  • n2x-node is an open-source agent that runs on the machines you want to connect to your n2x.io network topology. For more info please visit n2x.io Documentation.

Before you begin

In order to complete this tutorial, you must meet the following requirements:

  • An AWS account.

  • An Amazon S3 bucket created. We'll use the Amazon S3 bucket n2x-demo-bucket for this tutorial.

  • A n2x.io account and one subnet with 10.254.1.0/24 prefix.

  • Installed n2xctl command-line tool, version v0.0.3or greater.

Note

Please note that this tutorial uses a Linux OS with an Ubuntu 22.04 (Jammy Jellyfish) with amd64 architecture.

Step-by-step Guide

Step 1 - Deploying a n2x-node in AWS

Follow this step-by-step guide to set up an n2x-node in AWS. This guide will walk you through creating all the necessary infrastructure within the cloud service provider, including a VPC, public subnet, internet gateway, network security group, and instance.

Step 2 - Configuring n2x-node instance to export VPC CIDR

Before configuring n2x-node-01 to export VPC CIDR, we need to enable IPv4 forwarding it at the Linux level in AWS Instance to allow forward IPv4 packets. Let's proceed to execute the following steps for that purpose:

  1. Enabling IPv4 forwarding:

    Execute the following command on the n2x-node-01 instance:

    sudo sysctl -w net.ipv4.ip_forward=1
    
    To make the change permanent, add the following line to /etc/sysctl.conf file:

    net.ipv4.ip_forward=1
    
  2. Disable Source/Destination Check:

    Navigate to the EC2 Dashboard in the AWS Console and select the n2x-node-01 instance. On the menu choose Actions > Networking > Change Source/Destination Check.

    Change Source/Destination Check

    Select Stop and Save.

    Stop and Save

Now, to make the VPC CIDR available on your n2x.io subnet we need to configure the n2x-node-01 to export this CIDR. For this, we need to edit /etc/n2x/n2x-node.yml and add the following configuration:

# network routes behind this node (optional)
routes:
  export:
    - <VPC CIDR>
  import:  

Info

Replace <VNet CIDR> with the VNet CIDR value, in this case is 10.0.1.0/24.

Restart the n2x-node service for this change to take effect:

sudo systemctl restart n2x-node

Step 3 - Deploying S3 Interface Endpoint

Before creating the S3 Interface Endpoint we need to create a private subnet and some additional resources:

  1. Create the private subnet in the VPCs as described in the following table. For more information, see Creating a Subnet:

    Subnet Settings

    Subnet name tag VPC AZ IPv4 CIDR
    edge-pri-net-az1 edge us-east-1a 10.0.1.128/28

    Private Subnet

  2. Create a routing table for the edge-pri-net-az1 private subnet and add a new route in the route table with the destination 10.254.1.0/24 (n2x.io subnet CIDR) vía n2x-node-01 instance. For more information, see Adding and Removing Routes from a route table.

    Routing Table Settings

    Route table name tag VPC
    edge-pri-net-rt edge

    Private Routing Table

    add-route

  3. Create a subnet route table association between edge-pri-net-rt routing table and edge-pri-net-az1 private subnet.

    Routing Table Association

    Routing Table Association

  4. Create a security group s3-interface-endpoint that enable ports 80 and 443 from 0.0.0.0/0, we will attach the security group to the Interface Endpoint later:

    Security Group Settings

    Rule Protocol Port Range Source
    Inbound TCP 80 0.0.0.0/0
    Inbound TCP 443 0.0.0.0/0
    Outbound All All 0.0.0.0/0

    Security Group

Now we can create the VPC Endpoint, you must search for the VPC services in the AWS web console. In the left pane select Endpoints and click Create Endpoint:

Create Endpoint

When the window opens, select AWS Sevice of Service category. Search by S3 and select the service of your availability zone and Interface type. Also, you must select the VPC, the edge-pri-net-az1 private Subnet and Security Group we have created from the previous step.

Configure Endpoint

Configure Endpoint

Once the Endpoint is created, in the Subnet section you can see the IP address assigned to the endpoint:

IP Endpoint

Info

Remember the IP address assigned to this endpoint, we must be used it to connect with Amazon S3 buckets.

Step 4 - Connecting the server-01 to our n2x.io network topology

Now we need to connect the server-01 must be able to access Amazon S3 buckets using the VPC Interface Endpoint.

Adding a new node in a subnet with n2x.io is very easy. Here's how:

Add New Node

  1. Head over to the n2x WebUI and navigate to the Network Topology section in the left panel.
  2. Click the Add Node button and ensure the new node is placed in the same subnet as the n2x-node-01.
  3. Assign a name and description for the new node.
  4. Click Add New Connected Node to Subnet.

Here, we can select the environment where we are going to install the n2x-node agent. In this case, we are going to use Linux:

n2x Node Setup

Run the script on server-01 terminal and check if the service is running with the command:

systemctl status n2x-node

You can use ip addr show dev n2x0 command on server-01 to check the IP assigned to this node:

n2x Node IP

At this point, we need to make the VPC CIDR available in our server-01 importing this CIDR. For this, we need to edit /etc/n2x/n2x-node.yml in server-01 and add the following configuration:

# network routes behind this node (optional)
routes:
  export:
    - 
  import:
    - <VPC CIDR>  

Info

Replace <VPC CIDR> with the VPC CIDR value, in this case is 10.0.1.0/24.

Restart the n2x-node service for this change to take effect:

systemctl restart n2x-node

We can check the local routing table in server-01 with the following command:

ip route

Routing Table Server-01

Step 5 - Mount the Amazon S3 Bucket as a filesystem in server-01

Finally, we will show you how to mount an Amazon S3 bucket using S3FS in server-01 (Ubuntu 22.04):

  1. The package s3fs is available in the official Ubuntu repositories, we can install it with the following command:

    sudo apt-get update && sudo apt-get install -y s3fs
    
  2. Now you need to create the mount point in your local machine, in this case, we will use /mnt/s3-bucket:

    sudo mkdir -p /mnt/s3-bucket
    
  3. Once S3FS is installed, set up the credentials as shown below:

    echo <ACCESS_KEY>:<SECRET_KEY> > ~/.passwd-s3fs
    

    Info

    Replace <ACCESS_KEY> and <SECRET_KEY> with the AWS credentials for your account (IAM user). The IAM user must have S3 full access.

  4. You will also need to set the right access permission for the passwd-s3fs file to run S3FS successfully. To do that, run the command below:

    chmod 600 ~/.passwd-s3fs
    
  5. Now we’re ready to mount the Amazon S3 bucket:

    sudo s3fs <bucket-name> /mnt/s3-bucket -o passwd_file=~/.passwd-s3fs,use_path_request_style -o allow_other -o url=http://<vpc-endpoint-ip>
    

    Info

    Replace <bucket-name> and <vpc-endpoint-ip> with the S3 bucket name (n2x-demo-bucket in this case) and IP address (10.0.1.137 in this case) assigned to the vpc endpoint respectively.

    You might notice a little delay when firing the above command: that’s because S3FS tries to reach Amazon S3 internally for authentication purposes. If you don’t see any errors, your S3 bucket should be mounted on the /mnt/s3-bucket folder.

  6. To verify if the bucket successfully mounted, you can type mount | grep s3fs on terminal, and then check the last entry, as shown in the screenshot below:

    Mount Filesystem

  7. Once mounted, you can interact with the Amazon S3 bucket same way as you would use any local folder. You can create a testing file in /mnt/s3-bucket folder:

    cd /mnt/s3-bucket
    echo "Testing bucket" > file.txt
    

    S3 Bucket Local Content

    We can access the AWS console to verify that the information is the same as the local directory mounted through s3fs.

    S3 Bucket Console Content

Success

That's it! The Amazon S3 bucket is now mounted as a filesystem using an S3 Interface Endpoint.

Conclusion

This article demonstrated how to create Interface VPC endpoints for Amazon S3, enabling access to S3 buckets from on-premises applications or servers over the n2x.io network topology. While this focused on S3, the same approach applies to other AWS-supported services like Amazon RDS, Amazon SQS, and AWS Systems Manager.

Benefits of VPC Endpoints:

  • Enhanced Security: VPC Endpoints prevent exposure of AWS services to the public internet, minimizing security risks.

  • Improved Performance: By keeping traffic within the private network, VPC Endpoints can lead to better network performance and reliability.