AWS has recently announced that PrivateLink for Amazon S3 is now generally available (GA). With PrivateLink for Amazon S3, customers can securely connect Amazon S3 to on-premise resources.
At AWS re:Invent last year, the public cloud provider pre-announced the availability of PrivateLink for Amazon S3, and now it is GA. The feature provides customers private connectivity between Amazon Simple Storage Service (S3) and on-premises resources using private IPs from their virtual network. Since 2015, S3 has come equipped with a VPC endpoint; however, this has not allowed AWS users to access S3 from on-premise solutions over secure connections like AWS Direct Connect or AWS VPN. Yet some users, according to a blog post by Martin Beeby, principal advocate for Amazon Web Services, were setting up proxy servers with private IP addresses in their Amazon Virtual Private Clouds and using gateway endpoints for S3:
While this solution works, proxy servers typically constrain performance, add additional points of failure, and increase operational complexity. We looked at how we could solve this problem for our customers without these drawbacks, and PrivateLink for S3 is the result.
With PrivateLink for S3, users can now use the new VPC endpoint interface in their Virtual Private Cloud to access S3 directly as a private endpoint within their secure, virtual network. It extends the functionality of existing gateway endpoints by enabling them to access S3 using private IP addresses – any API requests and HTTPS requests to S3 from their on-premises applications are automatically directed through interface endpoints. Additionally, your users can set security groups and access control policies on their interface endpoints.
Source: https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/
Other cloud providers offer a similar offering to allow users to connect on-premise with a cloud storage service. Microsoft offers Azure Private Link, which provides private endpoint support for Azure Storage since March 2020, and Google provides users with private access options, including Cloud Storage.
Respondents on a Reddit thread welcomed the availability of PrivateLink for S3:
This is for the specific case where you're on-prem and want a private route direct to S3 over your Direct Connect. Previously the best you could do was point it at an EC2 proxy and forward it along via the existing VPC endpoint.... not really ideal. Or go over the public internet.... really not ideal either.
And:
Some organizations cannot configure split routing in their networks, so they cannot use the Gateway endpoint. This way, they can use it on the PrivateLink interface.
In addition, Daniel Hillinger, senior consultant and trainer at Trivadis, stated in a tweet:
Last night, a great announcement by AWS - S3 interface endpoint! Especially by security-bound customers, this was long-awaited as the public IPs must be whitelisted and regularly updated in the NACLs for the S3 gateway endpoint.
Note that the feature is only useful if users need access to S3 from on-premises; otherwise, as stated in the same Reddit thread:
If you don't need access from on-prem to S3, don't use it; the S3 gateway endpoint is free, while this one can be expensive.
PrivateLink is currently available in all AWS regions at a per-GB charge for data processed and an hourly cost for interface VPC endpoints.