7

Am I doing something wrong or is the AWS VPC ec2 instances not able to reach any of the AWS managed services (s3/sns/sqs) without a public route to the Internet Gateway in the routetable?

I was told here Aws vpc default route table in CloudFormation that AWS VPC default routetable has no public route by default so it can "protect" the VPC.

But if I can't access AWS services without a public route... That just defeats the purpose as I would be practically adding public route to all the routetables?

Sleeper Smith
  • 503
  • 1
  • 4
  • 11

4 Answers4

9

Am I doing something wrong or is the AWS VPC ec2 instances not able to reach any of the AWS managed services (s3/sns/sqs) without a public route to the Internet Gateway in the routetable?

That's correct. If you need to use those services, your instances will need EIPs or public IPs or you'll need a NAT host in your VPC. A VPC is truly private, and it operates in the same manner a well-maintained corporate network does: only allowing traffic that you explicitly allow.

It's worth noting: managed services like RDS, Elasticache, Redshift, etc, can indeed run within your VPC.

J. Lawson
  • 86
  • 10
EEAA
  • 108,414
  • 18
  • 172
  • 242
  • This answer was correct when written, but not any more. S3, SNS, and SQS can now all be accessed from VPCs without public IPs or NAT, by using [VPC endpoints](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html). – markusk Jan 11 '19 at 13:44
8

AWS has added VPC endpoints for various services, including S3 (2015), EC2 (2017), SNS (2018), and SQS (2018), which lets you use those services without public Internet access.

markusk
  • 485
  • 6
  • 9
1

VPC with Public and Private Subnets (NAT)

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can't. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.

Note

You can also use the VPC wizard to configure a VPC with a NAT instance; however, we recommend that you use a NAT gateway. For more information, see NAT Gateways.

0

Usually Lambda function cannot access private networks inside VPCs. But they can be setup have access to the private network. Setting Lambda functions to be able to access a private VPC

Then with the following method you can use Lambda as a proxy to whatever is inside the private network. This way you don't need to provide any public access to your resources. You generate a public API gateway and it through the Lambda proxies provides access to the internal private resources.

Setting Lambda as an API Gateway proxy

It is also important to remember that even when you have a public network with a public gateway you limit the traffic at each one of your resources using Security groups and Network ACLs. So you end up with least with a setup that is quite controlled.

  • Please do not post link-only answers to prevent link rot. Instead, add the most relevant information from the link to your answer or alternatively, post the link as a comment instead of an answer. See [this](http://serverfault.com/help/how-to-answer) help center article for further information. – Sven Dec 11 '16 at 13:40