BY Vincent Barida

AWS S3 and Amazon DynamoDB are flagship services offered by AWS.  To connect these services you formerly had just 2 options:

(1) a public bucket which is exposed to the public internet

(2) a private bucket which mandates building an expensive dedicated network solution like AWS Direct connect (extending VPC endpoints outside the VPC via VPN is not supported). 

AWS recently released VPC Endpoint, allowing you to build connectivity between your VPC and PaaS services like S3 and DynamoDB – but which was only accessible externally via a dedicated network (expensive MPLS based Direct Connect). Now, with NetFoundry, you can extend this VPC Endpoint connection for private S3 buckets, getting zero trust network access over the Internet –  this includes Zero Trust, least privilegedaccess security for your users, admins, branch offices, private datacentres and public clouds.

In this blog post, I will describe how you can spin up this highly secure and performant connectivity in minutes using cloud-native tools without the costs and complexity of a direct connect solution:

1- Login to the NetFoundry console and create an AWS NetFoundry Gateway

2- Deploy the NetFoundry gateway in a VPC.  This VPC will act as a transit VPC to reach your S3 bucket. You can follow any of these methods to deploy the gateway.

  • Use the CloudFormation link from the NetFoundry console (note: you must select a public subnet to use this script)
  • Download the NetFoundry image from the AWS marketplace and deploy following the steps described and deploy using the usage instructions

  • Lastly, you can refer to the end of the blog to use the dedicated CloudFormation script building the full AWS stack described in the diagram

3- Identify destination IP address used by your PaaS solution.

NetFoundry routes data based on IP and port destination, AWS regularly publishes a file listing containing the IP Prefix used per services per region. Use the IP range used by AWS S3 in the region you would like to reach – AWS provides the full instructions to do so through using the AWS CLI and downloading the file below:

For this example the bucket was created in the eu-west-3, IP address extracted from the json file

Alternatively you can execute the following Python script (Ptython 3) to get the CIDR you require

In this example, I’m looking for the CIDR block for S3 in eu-west-3 and the script return the following IP ranges

4- Create the services in the NetFoundry console

I will use the CIDR block to create define the services in the NetFoundry console. In my case I will add for 4x new network host services for AWS S3 in US-EAST-2.

5- Create the AppWan in the NetFoundry console

You need to link the components together and associate the client and the services you’ve created into an AppWan.  This AppWAN provides application-level micro-segmentation, least privileged access, Zero Trust network acces.

6- To have a full E2E secure connectivity, you can add the VPC Endpoint functionality to create a private connection between the NF Gateway and Amazon S3

From the VPC Dashboard you can create a VPC Endpoint Gateway for S3 or DynamoDB

5- For additional security, it is possible to restrict the access to the security bucket to the NF/VPC-Endpoint route

The following

Note: This will restrict the access to the NF route ONLY (no more access to the bucket through the console).

Don’t fancy building the component on the AWS console? You can use on the two following CloudFormation template to build a new VPC to secure your S3 traffic:

The following template will achieve a higher level of security using a NAT Gateway to access the Internet and placing the NetFoundy gateway within a private subnet.

Using NetFoundry, you can in a few steps create your very own Zero Trust, private network access, via the Internet, towards S3. This will significantly reduce the attack surface while using AWS S3, improving throughput by 24% to 63% compared to MPLS or VPN, and save you from the costs, complexity and limitations of MPLS.