S3 VPC endpoint vs Gateway endpoint

[vinodache]

Hi, Now that S3 supports VPC endpoint, for the below question should the answer be updated?

Category: CSAA – Design Secure Applications and Architectures

A local bank has an in-house application which handles sensitive financial data in a private subnet. After the data is processed by the EC2 worker instances, they will be delivered to S3 for ingestion by other services.

How should you design this solution so that the data does not pass through the public Internet?

In General, how do we decide to choose between VPC endpoint and gateway endpoint for S3 if both these options are available?

[Carlo-TutorialsDojo]

Hello vinodache,

Thanks for your feedback. Yes. This question needs to be updated. Without any further conditions in the scenario, both the VPC interface endpoint and gateway endpoint is a valid answer, so we’ll need to work on that.

In General, how do we decide to choose between the VPC endpoint and gateway endpoint for S3 if both these options are available?

>> One of the key factors is cost. You don’t pay for gateway endpoints (only for data transfer), but you are charged per hour for every provisioned VPC interface endpoint. Also, Gate endpoints are scoped within a region, meaning it does not allow access from another AWS region. On the other hand, you can reach an interface endpoint from another region.

I hope this is helpful. Let me know if you have any other queries.

Regards,

Carlo @ Tutorials Dojo

[vinodache]

Great. Thanks Carlo.