8.4 KiB
Executable File
8.4 KiB
Executable File
Terraform AWS VPC Endpoints Module
Overview
This Terraform module creates VPC endpoints for AWS services, enabling private connectivity between your VPC and AWS services without traversing the public internet. Currently supports S3 gateway endpoints with route table associations.
Features
- S3 Gateway VPC Endpoint creation
- Automatic route table association
- Support for both private and public route tables
- Conditional endpoint creation
- Cost optimization by keeping traffic within AWS network
- Improved security by avoiding public internet
Resources Created
- VPC Endpoint for S3 (Gateway type)
- VPC Endpoint Route Table Associations (private subnets)
- VPC Endpoint Route Table Associations (public subnets)
Usage
Basic Example
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = "vpc-12345678"
enable_s3_endpoint = true
private_route_table_ids = ["rtb-11111111", "rtb-22222222"]
public_route_table_ids = ["rtb-33333333"]
}
With VPC Module
module "vpc" {
source = "cloudposse/vpc/aws"
cidr_block = "10.0.0.0/16"
# ... other VPC configuration
}
module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
vpc_id = module.vpc.vpc_id
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
# ... other subnet configuration
}
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = module.vpc.vpc_id
enable_s3_endpoint = true
private_route_table_ids = module.subnets.private_route_table_ids
public_route_table_ids = module.subnets.public_route_table_ids
}
Conditional Creation
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = module.vpc.vpc_id
enable_s3_endpoint = var.environment == "production" ? true : false
private_route_table_ids = module.subnets.private_route_table_ids
public_route_table_ids = module.subnets.public_route_table_ids
}
Variables
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| vpc_id | The VPC ID where the endpoint is located | string |
n/a | yes |
| enable_s3_endpoint | Should provision an S3 endpoint to the VPC | bool |
true |
no |
| public_route_table_ids | Public route table IDs of the VPC | list(string) |
n/a | yes |
| private_route_table_ids | Private route table IDs of the VPC | list(string) |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| vpc_endpoint_s3_id | The ID of VPC endpoint for S3 |
| vpc_endpoint_s3_pl_id | The prefix list ID for the S3 VPC endpoint |
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | Latest |
VPC Endpoint Types
Gateway Endpoints
- S3 (implemented)
- DynamoDB (can be added)
- No hourly charges
- Route table-based routing
Interface Endpoints (future)
- Most other AWS services
- Charged per hour and per GB processed
- ENI-based in subnets
How S3 VPC Endpoints Work
When you create an S3 VPC endpoint:
- AWS creates a route in specified route tables
- Routes matching S3 service prefix lists go through the endpoint
- Traffic stays within AWS network
- No internet gateway traversal required
- No NAT gateway charges for S3 access
Benefits
Cost Savings
- No NAT Gateway data processing charges for S3 traffic
- No internet egress charges for S3 traffic
- Especially beneficial for large data transfers
Performance
- Lower latency by avoiding internet hops
- Higher throughput within AWS network
- More consistent performance
Security
- Traffic never leaves AWS network
- Reduced attack surface
- Simplified security group rules
- No need for public IPs for S3 access
Important Notes
- Gateway Endpoint: S3 uses a gateway endpoint (no additional charges)
- Route Tables: Endpoint is associated with specified route tables
- Service Name: Module automatically retrieves the correct S3 service name for the region
- Prefix Lists: S3 endpoint uses AWS-managed prefix lists
- Region Specific: Endpoint service names vary by region
- No Security Groups: Gateway endpoints don't use security groups
- Policy Support: Can attach policies to restrict endpoint access (not implemented in this version)
Example Route Table Entry
After endpoint creation, route tables will have entries like:
Destination: pl-12345678 (com.amazonaws.us-east-1.s3)
Target: vpce-11111111
Use Cases
Data Lakes
Store and retrieve large amounts of data in S3 without NAT Gateway costs:
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = module.data_lake_vpc.vpc_id
enable_s3_endpoint = true
private_route_table_ids = module.data_lake_vpc.private_route_table_ids
public_route_table_ids = module.data_lake_vpc.public_route_table_ids
}
Container Registries
Pull container images from ECR (stored in S3) efficiently:
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = module.eks_vpc.vpc_id
enable_s3_endpoint = true
private_route_table_ids = module.eks_vpc.private_route_table_ids
public_route_table_ids = [] # EKS typically doesn't need public route tables
}
Backup and Archive
Efficiently backup data to S3 Glacier:
module "vpc_endpoints" {
source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
vpc_id = module.backup_vpc.vpc_id
enable_s3_endpoint = true
private_route_table_ids = module.backup_vpc.private_route_table_ids
public_route_table_ids = module.backup_vpc.public_route_table_ids
}
Cost Analysis
Without VPC Endpoint
For 1 TB of S3 data transfer via NAT Gateway:
- NAT Gateway data processing: ~$45 (at $0.045/GB)
- Data transfer: ~$90 (at $0.09/GB)
- Total: ~$135
With VPC Endpoint
For 1 TB of S3 data transfer via VPC Endpoint:
- VPC Endpoint: $0 (gateway endpoints are free)
- Data transfer: $0 (within same region)
- Total: $0
Savings: ~$135 per TB transferred
Best Practices
- Always Enable: Enable S3 endpoints in all VPCs that access S3
- All Route Tables: Associate with both private and public route tables
- Multi-Region: Create endpoints in each region where you have VPCs
- Endpoint Policies: Consider implementing endpoint policies for additional security (requires module enhancement)
- Monitoring: Monitor endpoint usage via VPC Flow Logs
- Documentation: Document which services use the endpoint
Limitations
- Cross-Region: VPC endpoints are region-specific
- Service Coverage: Only S3 gateway endpoint implemented (DynamoDB can be added)
- Policy: Advanced endpoint policies not implemented in this version
- Interface Endpoints: Interface endpoints for other services not included
Future Enhancements
Potential additions to this module:
- DynamoDB gateway endpoint
- Interface endpoints (EC2, ECR, ECS, etc.)
- Endpoint policies for access control
- Private DNS configuration
- Security group management for interface endpoints
- Additional tags and naming
Troubleshooting
S3 access still going through NAT
- Verify route tables are correctly associated
- Check VPC endpoint is in "available" state
- Confirm S3 bucket is in the same region as endpoint
Cannot access S3 from private subnet
- Verify private route table IDs are correct
- Check endpoint associations in AWS console
- Ensure no overlapping routes conflict with endpoint
Endpoint not created
- Verify
enable_s3_endpointis set totrue - Check VPC ID is valid
- Ensure IAM permissions allow endpoint creation
Monitoring
Monitor VPC endpoints using:
CloudWatch Metrics
Currently limited metrics for gateway endpoints
VPC Flow Logs
Enable VPC Flow Logs to see traffic patterns:
resource "aws_flow_log" "vpc_flow_log" {
vpc_id = module.vpc.vpc_id
traffic_type = "ALL"
iam_role_arn = aws_iam_role.flow_log_role.arn
log_destination = aws_cloudwatch_log_group.flow_log.arn
}
Cost Explorer
Use AWS Cost Explorer to verify NAT Gateway cost reductions after implementing VPC endpoints.
License
This module is provided as-is for use within your organization.