AWS VPC internet gateway and AWS services

Question

Am I doing something wrong or is the AWS VPC ec2 instances not able to reach any of the AWS managed services (s3/sns/sqs) without a public route to the Internet Gateway in the routetable?

I was told here Aws vpc default route table in CloudFormation that AWS VPC default routetable has no public route by default so it can "protect" the VPC.

But if I can't access AWS services without a public route... That just defeats the purpose as I would be practically adding public route to all the routetables?

Answer 1

Am I doing something wrong or is the AWS VPC ec2 instances not able to reach any of the AWS managed services (s3/sns/sqs) without a public route to the Internet Gateway in the routetable?

That's correct. If you need to use those services, your instances will need EIPs or public IPs or you'll need a NAT host in your VPC. A VPC is truly private, and it operates in the same manner a well-maintained corporate network does: only allowing traffic that you explicitly allow.

It's worth noting: managed services like RDS, Elasticache, Redshift, etc, can indeed run within your VPC.

Answer 2

AWS has added VPC endpoints for various services, including S3 (2015), EC2 (2017), SNS (2018), and SQS (2018), which lets you use those services without public Internet access.

• New – VPC Endpoint for Amazon S3 (AWS Blog)
• New – AWS PrivateLink for AWS Services: Kinesis, Service Catalog, EC2 Systems Manager, Amazon EC2 APIs, and ELB APIs in your VPC (AWS Blog)
• Amazon Simple Notification Service (SNS) now Supports AWS PrivateLink (What's New with AWS)
• Amazon SQS now Supports Amazon VPC Endpoints using AWS PrivateLink
• AWS VPC User Guide: VPC Endpoints

Answer 3

VPC with Public and Private Subnets (NAT)

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.

The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can't. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.

Note

You can also use the VPC wizard to configure a VPC with a NAT instance; however, we recommend that you use a NAT gateway. For more information, see NAT Gateways.

Answer 4

Usually Lambda function cannot access private networks inside VPCs. But they can be setup have access to the private network. Setting Lambda functions to be able to access a private VPC

Then with the following method you can use Lambda as a proxy to whatever is inside the private network. This way you don't need to provide any public access to your resources. You generate a public API gateway and it through the Lambda proxies provides access to the internal private resources.

Setting Lambda as an API Gateway proxy

It is also important to remember that even when you have a public network with a public gateway you limit the traffic at each one of your resources using Security groups and Network ACLs. So you end up with least with a setup that is quite controlled.