LAB : Configure VPC Endpoint to access S3

LAB : Configure VPC Endpoint to access S3

LAB: Configure VPC Endpoint and Access S3 via private EC2 Instance.


Refer below topology to Configure VPC Endpoint.


  • Create a VPC Dclessons-VPC01 with CIDR
  • Create and attach an Internet Gateway Dclessons-VPC01-IGW with custom VPC Dclessons-VPC01
  • Create a Public subnet Dclessons-public-Subnet ( and Private Subnet Dclessons-Private-Subnet (
  • Configure the Public subnet Dclessons-public-Subnet ( to enable auto-assign public IPv4 address
  • Add an entry to the Internet ( in the Main Route table Dclessons-MAIN RT
  • Create a Route Table Dclessons-Private-Subnet-RT for the Private subnet and associate the Private subnet Dclessons-Private-Subnet (
  • Create security groups to allow all traffic for LAB purpose.
  • Create a Bastion Host (Publicly accessible EC2 Instance Dclessons-Bastion-EC2)
  • Create an Endpoint instance Dclessons-Private-EC2 and attach to Privately accessible EC2 instance.
  • SSH into Endpoint instance Dclessons-Private-EC2 through Bastion host Dclessons-Bastion-EC2
  • Create a VPC endpoint for S3 Dclessons-S3-Endpoint and attach it to the Private subnet's Route table.
  • List all the S3 Bucket and its objects


Create VPC

Go to AWS Services | VPC | Create VPC and in VPC Setting: Name: Dclessons-VPC01 with CIDR | Click Create VPC.

Select Internet Gateway | Click to create Internet gateway | In Create Internet Gateway: Name: Dclessons-VPC01-IGW and click Create Internet gateway.

Now attach the Internet gateway to VPC: Dclessons-VPC01.

No go to Subnet | Create Subnet: Select VPC: Dclessons-VPC01 | Subnet Name: Dclessons-Public-Subnet | AZ: us-east-2a | IPv4 CIDR: | Click Create Subnet

No likewise, Create Private Subnet: Dclessons-Private-Subnet – in VPC Dclessons-VPC01.

Once Created, you can see both subnets are created in each respective AZ.

Now Select Dclessons-Public-Subnet | Action: Edit Subnet Setting

Under Edit Subnet Setting: Auto-assign IP setting: Select Enable auto-assign public IPv4 address | Save

Configure Route Table :

As soon as you create VPC: Dclessons-VPC01. One RT will also be created, We have renamed it Dclessons-MAIN-RT, Under Route Section: Click Edit Routes

Add Default Route With target IGW, we have created | Save Changes

Now Create a Route table, Go to Route Table Section | Click to Create Route Table | Under Route table Setting | Name: Dclessons-private-Subnet-RT with VPC ID: Dclessons-VPC01 | Create Route Table

Under Dclessons-private-Subnet-RT | Select Subnet Association and Click Edit Subnet Association and select Dclessons-Private-Subnet and Save

Create Security Groups

Go to Security Groups | Click Create Security Group | Name: Dclessons-Bastion-SG and Select VPC Dclessons-VPC01 and allow ports as shown in below figure.

Now we will create another Security group for S3 VPC endpoint | Under Create Security Group | Name: Dclessons-S3Endpoint-SG | Select VPC Dclessons-VPC01 and allow SSH with destination: Dclessons-Bastion-SG


    You are will be the first.


Please login here to comment.