Why are s3 gateway endpoints free

Question

I have an Ec2 instance in a public subnet and would be uploading data to an s3 bucket. I understand that while this traffic traverses the internet gateway, it does not leave the AWS network Reference: https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html

Now I am creating a s3 gateway end point (modify the route table to send traffic thru this). I also try creating a s3 interface end point. I measure that the time it takes to upload a 250MB file is the same in both cases (gateway endpoint and interface endpoint)

I am unable to understand two points:

1. If traffic does NOT leave the AWS network even though Internet gateway is used, in this case, is there any security benefit ?

2. When using privatelink, I understand that the traffic goes thru Hyperplane, which is why I get increased upload speed. https://www.youtube.com/watch?v=8gc2DgBqo9U&t=2010s And AWS is charging for the interface point.

   However I don't understand why s3 gateway endpoints are free. Does it not use hyperplane ? Is it less performant or resilient ?

Answer 1

You have three options for uploading data from EC2 to S3 by using

1. Internet gateway: in this case, traffic DOES leave your VPC and goes over AWS network. It's less secure and slower.
2. Interface endpoint: traffic DOES NOT leave your VPC and goes directly to service. It's secure and fast, but it isn't free.
3. Gateway endpoint: traffic DOES NOT leave your VPC and goes directly to service. It's secure, fast and free, though you are limited to DynamoDB and S3 services.

Both interface endpoint and gateway endpoint use AWS PrivateLink (Hyperplane) technology.

I think the difference in pricing is related to difference in the nature of services deployment:

• Interface endpoint is basically a separate ENI in subnet whereas
• Gateway endpoint is an attachment on VPC level which is used for accepting S3/DynamoDB traffic.

Interface endpoints as ENIs got an IP address allocated and they are under your (customer) control. Hence, you are consuming AWS network resources.

At the same time, underlying network resources for Gateway endpoints are not exposed to you (customer), hence, you as a customer, do not reserve any AWS resources and there is nothing to be charged for.

Answer 2

In none of your designs, traffic from your EC2 leaves the AWS network; not even when it goes via an internet gateway, as depicted in the following diagram at Access AWS services through AWS PrivateLink:

There is a good discussion on this topic also at Does traffic between Amazon EC2 and Amazon S3 really go over the internet?.

When an EC2 instance in a public subnet needs to connect to S3, it does not require AWS PrivateLink (Gateway endpoint or Interface endpoint); you use an Internet gateway for this connection.

When an EC2 instance in a private subnet needs to connect to S3, there can be two ways:

1. Via a NAT Gateway situated in a public subnet (as depicted in the above diagram).
2. By using AWS PrivateLink (Gateway endpoint or Interface endpoint).

Here is an excerpt from a very good article, How can I grant my Amazon EC2 instance access to an Amazon S3 bucket?:

For your EC2 instance to connect to S3 endpoints, the instance must be one of the following:

• EC2 instance with a public IP address and a route table entry with the default route pointing to an Internet Gateway
• Private EC2 instance with a default route through a NAT gateway
• Private EC2 instance with connectivity to Amazon S3 using a gateway VPC endpoint

Gateway endpoint and Interface endpoint

As already mentioned above, both of them belong to AWS PrivateLink. However, the Interface endpoint is newer and more powerful, as described in the following table at AWS PrivateLink for Amazon S3:

This power comes with billable resources and therefore the use of an Interface endpoint for S3 is billed.

You may also like to check Choosing Your VPC Endpoint Strategy for Amazon S3.