My team is currently burdened by the NAT Gateway costs and we would like to switch over to VPC Gateway endpoint to reduce the costs associated with all the EC2-S3 communication.
at the same time,
We would like to keep NAT gateway for any other communication apart from S3. My question is
How can we make sure that S3 communication from EC2 goes through VPC Endpoint gateway , but all other traffic uses NAT gateway
in other words
What happens in a scenario where S3 Endpoint is configured and also NAT Gateway is configured. Would the traffic flow from NAT/Internet Gateway or the S3 Endpoint?
How can we make it selective ?
답변1
Simply create an S3 Gateway VPC Endpoint, ensure an entry is in the route table (should be automatic if you do it in the console), and the S3 traffic will use the VPC Endpoint. Don't use the S3 interface endpoint, it costs money whereas S3 Gateway endpoint is free.
If a NAT Gateway and an S3 gateway endpoint are both available the S3 gateway will be used. A packet always uses the most specific route, the endpoint route is considered more specific than 0.0.0.0/0 which is the most general route.
If you were using an S3 Interface Endpoint for some reason I think it should be automatic. From memory, the VPC DNS returns an appropriate IP for S3 that goes over the interface endpoint rather than the NAT Gateway.