How can I configure cross-Region VPC endpoints for AWS services?
Last updated: 2022-03-31
I want to configure cross-Region Amazon Virtual Private Cloud (Amazon VPC) endpoints so that I can access an AWS resource, such as Amazon Simple Storage Cloud (Amazon S3) buckets, using a private link. How do I do this?
You can deploy resources such as Amazon Elastic Compute Cloud (Amazon EC2), VPC, and Amazon Relational Database Service (Amazon RDS), in different AWS Regions. This deployment aids in high availability of the resources and provides faster data access to users. You can also deploy VPC endpoints to access AWS public resources such as Amazon S3 and Amazon DynamoDB through a private link. However, you can access these VPC endpoints from the same Region only. For example, if you deploy an S3 VPC endpoint in the us-west-2 Region, then you can access S3 buckets in us-west-2 from that VPC endpoint. Traffic to buckets in other Regions will travel over the internet.
Use the following steps to create VPC peering between VPCs to access endpoints in a different Region:
Note: For this example resolution, the following variables are used:
- VPC1(10.100.10.0/24) is in the us-east-1 Region.
- VPC1 has an S3 endpoint.
- VPC2(172.16.20.0/24) is in the us-east-2 Region.
- Users from us-east-2 Region want to access the S3 bucket in us-east-1 using the S3 endpoint in us-east-1 Region.
Configure VPC peering between VPC1 and VPC2
1. Open the Amazon VPC console. Make sure that you are in the us-east-1 Region.
2. Select VPC peering connections.
3. Select Create peering connection.
4. Enter a Name for the peering connection.
5. For Select a local VPC to peer with, enter the VPC ID (this is the VPC ID for VPC1, in this example).
5. In Select another VPC to peer with, for Account, if this is a remote VPC belonging to same account, select My account. If this isn't a remote VPC belonging to the same account, select Another account and then enter the Account ID.
7. In Select another VPC to peer with, for Region, select Another Region, and then enter the remote VPC ID that you want. (This is the VPC ID for VPC2, in this example)
8. Select Create peering connection. The peering connection status changes to pending acceptance.
9. Change the Region to us-east-2.
10. In the Amazon VPC console, select VPC peering connections.
11. Select Actions, Accept request.
Update the subnet route table and route table target
1. Add a route in the subnet route table for the us-east-1 endpoint for 172.16.20.0/24 (VPC2).
2. Add a route in the user's route table target in us-east-2 for 10.100.10.0/24 (VPC1) as a peering connection (pcx-xxxxxxxxxxxxxx).
Access the S3 bucket
Access the S3 bucket using VPC endpoint FQDN from the remote VPC:
aws s3 --region us-east-1 --endpoint-url https://bucket.vpce-xxxxxxxxxxx.s3.us-east-1.vpce.amazonaws.com ls s3://my-bucket/
- Local and remote VPC subnet's route tables should have routes that target each other as peer connections.
- The VPC endpoint permission policy must allow the remote VPC ID.
- Security groups applied to VPC endpoints must allow the remote VPC subnets.