I have an EC2 instance in a AWS VPC public subnet.
If an application running on the instance connects to S3 with a Boto3 client, is the traffic routed inside AWS network even if I don’t have a gateway endpoint set in the VPC or it goes throught Internet?
If to keep traffic in AWS network I need a VPC endpoint, then how can I use a gateway VPC endpoint with a Boto3 client?
2
Answers
Yes, if you do not have S3 gateway nor S3 interface endpoint, traffic to S3 goes over the internet.
You don’t have to do anything if you configure S3 gateway or S3 interface endpoint correctly. This will work seamlessly with boto3.
Well you can verify yourself from AWS S3 server logs if traffic is coming from VPC endpoint or internet(IGW or NAT). If both are configured on your subnet’s route table then VPC endpoint will take precedence over IGW/NAT. Make sure you attach correct IAM role for accessing S3 from your EC2.