amazon-web-servicesdnsamazon-vpcvpc-endpointaws-networking

VPC Interface Endpoint is accessible from subnets which isn't associated with it


I'm trying to access s3 using interface VPC Endpoint but i have a technical issue which i can’t solve.

I have A VPC with the following Subnet:

  1. Subnet A (Private without Internet)
  2. Subnet B (Private without Internet)
  3. Subnet C (Public with Internet Gateway)
  4. Subnet D (Private with NAT)

I have two instances:

  1. i-01 (Subnet A)
  2. i-02 (Subnet D)

I have an interface VPC Endpoint for Subnets A,B and Private DNS is Enabled.

the issue is when i dig the endpoint s3.us-east-1.amazonaws.com in both instances it returns the VPC Endpoints IPs.

Expected Behavior: Instance i-01 returns the VPC Endpoints IPs and instance i-02 return the public regional IP.

Am i understanding the interface concept wrong or the expected behavior is what should happen ?

and if i'm understanding it wrong how to seperate subnets from using the interface endpoint and the public IP


Solution

  • Am i understanding the interface concept wrong or the expected behavior is what should happen ?

    Yes, you have the concept wrong. Interface endpoints have VPC-scope, not subnet-scope. This means that all instances in a given VPC will use the interface endpoints, regardless of which subnets they are in.

    To solve this, disable Private DNS and manually in the instance specify the endpoint of the interface for the instance which should use it.