Getting started with Amazon S3 Multi-Region Access Points


Module 7: VPC endpoints

You will learn how to create a VPC endpoint to use with your Multi-Region Access Point.

Understanding use cases for VPC endpoints

Creating a com.amazonaws.s3-global.accesspoint VPC interface endpoint in a subnet configures an interface with an IP address in that subnet, which DNS will resolve so that it is automatically used when accessing an Amazon S3 Multi-Region Access Point. This allows you to route traffic to an Amazon S3 Multi-Region Access Point with AWS PrivateLink, which has the following use cases:

  1. Access an S3 Multi-Region Access Point from private IP addresses within a VPC:
    Accessing S3 public endpoints from private IP ranges requires Network Address Translation.
  2. Routing to and from on-premises environments: When connected with AWS Direct Connect or AWS VPN.
  3. Simplifying cross-Region access to Amazon S3: For example, if you have an S3 bucket in one AWS Region and compute resources across multiple Regions, you would need to set up VPC peering to use PrivateLink. With an S3 Multi-Region Access Point in front of the S3 bucket and s3-global VPC endpoints local to the compute, there is no need for VPC peering.

Note: S3 Multi-Region Access Points cannot be accessed via any other type of VPC endpoint than com.amazonaws.s3-global.accesspoint. In addition, accessing Amazon S3 directly from Amazon EC2 does not incur Data Transfer OUT From Amazon EC2 To Internet or Data Transfer OUT From Amazon S3 To Internet charges, including when S3 buckets are accessed through an S3 Multi-Region Access Point.

 Time to complete

10 minutes


If you wish to create a VPC endpoint to use with your Multi-Region Access Point, follow these optional steps.

7.1 - Create a VPC endpoint

Note: For testing, you will need an EC2 instance, as well as the VPC and subnet IDs for the instance, which are outside the scope of this guide. See this tutorial for more information.

  • In a new browser tab, navigate to the Amazon VPC console.
  • In the left-hand navigation, choose Endpoints.
  • Select Create endpoint.

7.2 - Endpoint settings

  • For Endpoint settings, enter a Name tag - optional.
  • For Service category, choose AWS services.
  • In the Services section, in the Filter services search bar, enter S3. Then, choose com.amazonaws.s3-global.accesspoint.

7.3 - Network configuration

  • For VPC, select the VPC your EC2 instance is in.
  • For Subnets, select the subnet your EC2 instance is in.
  • For Security group, select the security groups to associate with the endpoint network interfaces.
    • The security group rules must allow resources that will use the VPC endpoint to communicate with the AWS service to communicate with the endpoint network interface.
    • For this use case, a rule is required to explicitly allow HTTPS (TCP 443) from your compute resources to the endpoint, even if they are in the same security group.
  • For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint.
    • Otherwise, select Custom to attach a VPC endpoint policy that controls the permissions that principals have for performing actions on resources over the VPC endpoint.
  • (Optional) To add a tag, select Add new tag and enter the tag key and the tag value.
  • Then, select Create endpoint.
  • The Status of the endpoint will be Pending for a few minutes while the interface is created in your subnet(s).
  • Once created, a DNS query from an EC2 instance within your subnet(s) for should resolve to an IP address within that subnet.


In this module, you learned how create a VPC endpoint.

You are now ready to learn how to monitor S3 Replication and requests.

Monitoring S3 Replication and Requests