S3 connectivity through the Connected VPC requires an S3 Endpoint to be deployed in the Connected VPC and configured on the main route table.

See the VMware Cloud Tech Zone article Designlet: VMware Cloud on AWS Connected VPC to Native AWS for more information.


  1. Create an S3 endpoint.
    See Gateway VPC Endpoints and Endpoints for Amazon S3 in the Amazon Virtual Private Cloud User Guide.
    1. For Service category, select AWS services.
    2. Under Service Name, select a com.amazonaws.region-AZ.s3 service of type Gateway where region-AZ matches the region and AZ your SDDC is in. For example, com.amazonaws.us-west-2.s3.
    3. In the VPC drop down, select the VPC that is connected to your SDDC.
    4. Under Configure route tables, select the Route Table ID where the value in the Main column is Yes. This Route Table is used by the SDDC and should also be associated with the VPC subnet the SDDC is connected to.
      AWS services or instances that communicate with the SDDC must either be associated with the main route table or with a custom route table that has the Managed Prefix List for the Connected VPC added to it. See "Routing Between Your SDDC and the Connected VPC" in NSX Networking Concepts for information about how you can use an AWS Managed Prefix List to simplify maintenance of this route table when you create or delete routed network segments connected to the default CGW.
    5. Under Policy select the default Full Access policy or create a more restrictive one. See Endpoints for Amazon S3 in the Amazon Virtual Private Cloud User Guide. Traffic to S3 from the SDDC will have its source IP NATted to an IP from the subnet selected at SDDC deployment, so any policy must allow traffic from that subnet.
    6. Click Create Endpoint to create the endpoint and add routes for the S3 public IP ranges in the region to the main route table.
  2. (Optional) Configure the security group for your connected Amazon VPC to allow outbound traffic to the network segment associated with the VM in your SDDC.
    The default security group allows this traffic, so you won't need to take this step unless you previously customized the default security group.
    1. In the AWS console, select the default Security Group for the Connected Amazon VPC and click the Outbound tab.
    2. Click Edit.
    3. Click Add Rule.
    4. In the Type dropdown menu, select HTTPS.
    5. In the Destination text box, select the prefix list associated with the S3 endpoint.
      You can find this prefix list in the VPC's Managed prefix lists card. If you see multiple prefix lists here, choose one that is specific to the region that contains the S3 service you're interested in.
    6. Click Save.
  3. Ensure that access to S3 through the elastic network interface is enabled.
    By default, S3 access through the elastic network interface in the connected Amazon VPC is enabled. If you disabled this access to allow S3 access through the internet gateway, you must re-enable it.
    1. Log in to the VMware Cloud Console at https://vmc.vmware.com.
    2. Click > Connected VPC
    3. Under Service Access, click Enable next to S3 Endpoint.
  4. Use the workflow defined in Add or Modify Compute Gateway Firewall Rules to create a compute gateway firewall rule to allow HTTPS access to the connected Amazon VPC.

    This example shows how to use NSX Manager to create inventory groups and firewall rules. You can also use the VMware Cloud Console Networking & Security tab for this workflow. See SDDC Network Administration with NSX Manager.

    1. On the Gateway Firewall page, click Compute Gateway.
    2. Click ADD RULE and add a rule with the following parameters, where Workload-CIDR is the CIDR block for the segment that the workload VMs that need to access S3.
      Sources Destinations Services Applied To Action
      Workload-CIDR S3 Prefixes HTTPS VPC Interface Allow


Workload VMs in your SDDC can access files in the S3 bucket over an HTTPS connection.