Mastering AWS VPC Endpoints: In-Depth Traffic Analysis and Private Connectivity

In the world of cloud computing, security and network efficiency are paramount. AWS provides a robust mechanism to enhance both through VPC Endpoints. These endpoints establish private connections between your VPC and supported AWS services, ensuring that traffic does not traverse the public internet to connect with any other service in AWS. In this blog, we’ll explore the intricacies of VPC Endpoints, how they handle network traffic, and how to analyze their behavior in-depth.

The Need for VPC Endpoints

When applications running in a private subnet within a VPC need to interact with AWS services like S3, DynamoDB, or others, their default approach is to route traffic through an Internet Gateway (IGW) or a NAT Gateway. However, doing this exposes the traffic to the public internet, increasing security risks and introducing potential latency.

VPC Endpoints mitigate these issues by providing private connectivity to AWS services. They enable you to maintain data security, reduce latency, and lower costs by avoiding internet-based traffic altogether.

Types of VPC Endpoints

1. Interface Endpoints

• Leverage AWS PrivateLink.
• An Elastic Network Interface (ENI) is created within your VPC.
• Used for services like S3, EC2 APIs, Lambda, and KMS.
• Allows traffic to remain entirely within the AWS network via private IP addresses.

2. Gateway Endpoints

• Designed specifically for S3 and DynamoDB.
• Operates at the route table level — no ENI is created.
• Traffic destined for the service is routed through the Gateway Endpoint, ensuring private communication.

How Traffic Flows Through VPC Endpoints

Let’s consider an example of an EC2 instance in a private subnet accessing S3 via an Interface Endpoint.

Step 1: DNS Resolution

When the EC2 instance initiates a connection to s3.amazonaws.com, AWS DNS resolves this domain to a private IP address associated with the Interface Endpoint ENI. This resolution ensures that traffic is directed to the endpoint within the VPC.

Step 2: Packet Routing

Once DNS resolution is complete, the EC2 instance sends packets to the resolved private IP. The VPC route table routes the packets to the ENI associated with the Interface Endpoint. This ENI serves as the entry point for the AWS PrivateLink infrastructure.

Step 3: Internal AWS Communication

The Interface Endpoint securely forwards the traffic over the AWS internal network to the target service (S3). This internal routing avoids the public internet entirely, enhancing both security and performance.

Step 4: Response Path

The response from the S3 service follows the same path in reverse, arriving back at the EC2 instance through the Interface Endpoint ENI.

For Gateway Endpoints, the process is slightly different. Instead of using an ENI, the traffic is routed through the Gateway Endpoint using specific route table entries. This approach is designed to handle high-volume, low-latency connections efficiently.

Packet Analysis with tcpdump

Understanding traffic flow at a deeper level often requires packet inspection. This is where tools like tcpdump come in. tcpdump allows you to capture and analyze network packets, providing valuable insights into how traffic flows through your VPC Endpoints.

Let us consider the scenario of using a Dynamic Endpoint to connect AWS EC2 instance to connect with S3 bucket.

Deep Dive into tcpdump Analysis: EC2 to S3 Traffic with and without VPC Interface Endpoints

When an EC2 instance interacts with Amazon S3, the behavior of network traffic differs significantly depending on whether a VPC Interface Endpoint is used. Below, we’ll analyze these two scenarios using tcpdump, highlighting the differences in traffic patterns, routing, and security.

1. Scenario: EC2 to S3 Using VPC Interface Endpoint

In this setup, an Interface Endpoint is configured for S3 within the VPC. The DNS resolution for s3.amazonaws.compoints to the private IP of the Interface Endpoint, ensuring the traffic stays within the AWS private network.

tcpdump Command

Run the following command on the EC2 instance to capture traffic between the instance and the private IP of the Interface Endpoint:

sudo tcpdump -i eth0 host <Private_IP_of_Interface_Endpoint> -nn -vv

Here:

• eth0 is the primary network interface.
• <Private_IP_of_Interface_Endpoint> is the private IP of the ENI associated with the VPC Endpoint.

Sample Output

15:02:30.123456 IP 10.0.1.25.56789 > 10.0.2.50.443: Flags [S], seq 1234567890, win 65535
15:02:30.123789 IP 10.0.2.50.443 > 10.0.1.25.56789: Flags [S.], seq 987654321, ack 1234567891, win 26883
15:02:30.124012 IP 10.0.1.25.56789 > 10.0.2.50.443: Flags [.], ack 1, win 65535
15:02:30.124345 IP 10.0.1.25.56789 > 10.0.2.50.443: Flags [P.], seq 1:512, ack 1, win 65535
15:02:30.124678 IP 10.0.2.50.443 > 10.0.1.25.56789: Flags [.], ack 512, win 26883

Analysis of Output

1. Source IP:

• 10.0.1.25: Private IP of the EC2 instance.

2. Destination IP:

• 10.0.2.50: Private IP of the Interface Endpoint’s ENI.

3. Port:

• 443: Indicates HTTPS communication.

4. Flags and Sequence:

• [S] (SYN): EC2 initiates the TCP connection.
• [S.] (SYN-ACK): S3 acknowledges via the Interface Endpoint.
• [P.] (Push): Data transfer.
• [.] (ACK): Acknowledgments for received packets.

Key Takeaways:

• Traffic flows privately between EC2 and the Interface Endpoint.
• No public IPs are involved, ensuring data remains within AWS’s private infrastructure.

2. Scenario: EC2 to S3 Without VPC Interface Endpoint

Here, the EC2 instance interacts with S3 over the public internet via an Internet Gateway or a NAT Gateway. The DNS resolution for s3.amazonaws.com points to a public IP.

tcpdump Command

To capture traffic destined for the public S3 endpoint:

sudo tcpdump -i eth0 dst net 52.216.0.0/16 -nn -vv

Here:

• dst net 52.216.0.0/16 captures traffic to Amazon S3’s public IP range.

Understanding S3 IP Ranges

The IP range 52.216.0.0/16 is associated with Amazon S3 and is part of the larger set of AWS public IP address ranges. AWS publishes its IP ranges, which include the IPs used by S3. This specific range represents a pool of public IP addresses that S3 uses globally.

For the ap-south-1 (Mumbai) region, the S3 IP ranges are part of the global AWS IP pools but fall under specific IPs like:

{
  "ip_prefix": "52.216.0.0/16",
  "region": "ap-south-1",
  "service": "S3"
}

You can check and filter IP ranges associated with S3 using the following script:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq '.prefixes[] | select(.service == "S3" and .region == "ap-south-1") | .ip_prefix'

This will confirm that S3 uses the 52.216.0.0/16 range in the ap-south-1 region.

Sample Output

15:05:45.678910 IP 10.0.1.25.54321 > 52.216.25.1.443: Flags [S], seq 1357924680, win 65535
15:05:45.679123 IP 52.216.25.1.443 > 10.0.1.25.54321: Flags [S.], seq 2468101214, ack 1357924681, win 26883
15:05:45.679456 IP 10.0.1.25.54321 > 52.216.25.1.443: Flags [.], ack 1, win 65535
15:05:45.679789 IP 10.0.1.25.54321 > 52.216.25.1.443: Flags [P.], seq 1:512, ack 1, win 65535
15:05:45.680123 IP 52.216.25.1.443 > 10.0.1.25.54321: Flags [.], ack 512, win 26883

Analysis of Output

1. Source IP:

• 10.0.1.25: Private IP of the EC2 instance.

2. Destination IP:

• 52.216.25.1: Public IP of the S3 service in the ap-south-1 region.

3. Port:

• 443: HTTPS traffic.

4. Flags and Sequence:

• Similar flags ([S], [S.], [P.], [.]) indicate the TCP handshake and data transfer.

Key Takeaways:

• Traffic is routed through the public internet.
• The public IP of S3 is visible in the packet capture.
• Depending on your setup, traffic may pass through a NAT Gateway or Internet Gateway, potentially incurring additional costs and latency.

Understanding DNS Behavior

Another critical aspect of VPC Endpoint functionality is DNS resolution. When using an Interface Endpoint, the AWS DNS resolver returns a private IP address for service requests. This ensures that applications within your VPC can seamlessly access AWS services without any configuration changes.

Without an endpoint, the DNS resolver would return a public IP address, directing traffic to the internet.

For instance:

nslookup s3.amazonaws.com

• With Endpoint: Resolves to a private IP (e.g., 10.0.2.50).
• Without Endpoint: Resolves to a public IP (e.g., 52.216.x.x).

Interpreting tcpdump for Deeper Insights

TCP Handshake

• The three-way handshake process (SYN, SYN-ACK, ACK) confirms that the connection is successfully established in both cases.

Data Transmission

• [P.] indicates data is being pushed to the remote host.
• In both scenarios, the data itself (e.g., S3 requests) is encrypted over HTTPS (443), ensuring content security.

TTL (Time to Live) Values

• When using VPC Endpoints, the TTL value in packets may be lower due to fewer hops within the AWS private network.
• Without VPC Endpoints, you might observe higher TTL values due to additional hops over the public internet.

Benefits of Using VPC Endpoints

1. Enhanced Security

• Traffic never leaves the AWS network.
• Reduces exposure to public internet threats.

2. Improved Performance

• Lower latency due to internal routing.
• Avoids the additional hops introduced by NAT Gateways or Internet Gateways.

3. Cost Efficiency

• Eliminates data transfer costs associated with public internet traffic.
• Reduces reliance on NAT Gateway data transfer rates.

4. Compliance and Data Residency

• Helps meet regulatory requirements by ensuring data remains within AWS-controlled environments.

Key Takeaways

• Interface Endpoints use PrivateLink to route traffic through ENIs within your VPC, keeping traffic private.
• Gateway Endpoints use route table entries to direct traffic to AWS services like S3 and DynamoDB without exposing it to the public internet.
• Tools like tcpdump can be invaluable for verifying and analyzing traffic flows, helping you confirm that your network configurations are functioning as intended.
• DNS behavior plays a crucial role, resolving service endpoints to private IPs when VPC Endpoints are used.

By leveraging VPC Endpoints, you can enhance the security, efficiency, and compliance of your AWS architecture. Whether you’re managing sensitive workloads or optimizing for performance, understanding the underlying mechanics of VPC Endpoints is vital for any AWS practitioner.

Conclusion

VPC Endpoints are a cornerstone of secure and efficient AWS network design. They allow you to connect privately to AWS services, avoiding the internet and reducing latency. By using network analysis tools like tcpdump, you gain deeper insights into traffic patterns, helping you troubleshoot and optimize your environment.

Ready to take your network security and performance to the next level? Start incorporating VPC Endpoints into your architecture today.