You can access an S3 bucket in your connected AWS VPC by creating an S3 endpoint.
- Create an S3 endpoint.
See Gateway VPC Endpoints and Endpoints for Amazon S3 in the Amazon Virtual Private Cloud User Guide.
- For Service category, select AWS services.
- Under Service Name, select a
.s3service of type Gateway where region-AZ matches the region and AZ your SDDC is in. For example,
- In the VPC drop down, select the VPC that is connected to your SDDC.
- Under Configure route tables, select the Route Table ID where the value in the Main column is Yes. This Route Table is used by the SDDC and should also be associated with the VPC subnet the SDDC is connected to.
- Under Policy select the default Full Access policy or create a more restrictive one. See Endpoints for Amazon S3 in the Amazon Virtual Private Cloud User Guide. Traffic to S3 from the SDDC will have its source IP NATted to an IP from the subnet selected at SDDC deployment, so any policy must allow traffic from that subnet.
- Click Create Endpoint to create the endpoint and add routes for the S3 public IP ranges in the region to the main route table.
- (Optional) Configure the security group for your connected Amazon VPC to allow outbound traffic to the network segment associated with the VM in your SDDC.
The default security group allows this traffic, so you won't need to take this step unless you previously customized the default security group.
- In the AWS console, select the default Security Group for the Connected Amazon VPC and click the Outbound tab.
- Click Edit.
- Click Add Rule.
- In the Type dropdown menu, select HTTPS.
- In the Destination text box, select the prefix list associated with the S3 endpoint.
You can find this prefix list in the VPC's Managed prefix lists card. If you see multiple prefix lists here, choose one that is specific to the region that contains the S3 service you're interested in.
- Click Save.
- Ensure that access to S3 through the elastic network interface is enabled.
By default, S3 access through the elastic network interface in the connected Amazon VPC is enabled. If you disabled this access to allow S3 access through the internet gateway, you must re-enable it.
- Log in to the VMC Console at https://vmc.vmware.com.
- Under Service Access, click Enable next to S3 Endpoint.
- From the VMC Console, create a compute gateway firewall rule to allow HTTPS access to the connected Amazon VPC.
- On the Networking & Security tab, click Gateway Firewall.
- On the GATEWAY FIREWALL page, click Compute Gateway.
- Click ADD RULE and add a rule with the following parameters, where Workload-CIDR is the CIDR block for the segment that the workload VMs that need to access S3.
Sources Destinations Services Applied To Action Workload-CIDR S3 Prefixes HTTPS VPC Interface Allow
Workload VMs in your SDDC can access files in the S3 bucket over an HTTPS connection.