PrivateS3 Workflow

Step 1. Launch an Aviatrix Gateway

Go to Gateway -> New Gateway to launch a gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet and Gateway Size. Leave all other fields as default.

Step 2. Enable/Edit PrivateS3


If you don’t see the gateway just launched, refresh the browser.

Each AWS S3 bucket has a unique FQDN name. For example, if a full URL to access a file in S3 is, then the bucket’s FQDN name is either or

Setting Value
Gateway Name Select a gateway launched in the previous step
Source CIDR Range Enter a summary list of the on-prem network address range separated by comma. For example,, Note this list should be a simple super set of your on-prem network CIDR range. It does not need to be precise.
S3 Bucket FQDN Name Resolution IP This is a display field. It displays the AWS internal NLB private IP address created by the Controller. This field does not immediately display after the first gateway is launched. Wait for a few minutes and refresh the browser. Use the displayed IP address for your on-prem DNS configuration in the next step.
+Add New Bucket Click and then enter a FQDN name of the file in S3 bucket. Click Save to save entry. Click +Add New Bucket again to enter another entry.
Enable If this is the first time, click Enable to enable the feature.
Update If PrivateS3 has been enabled, use this button to update changes including editing Source CIDR Range, Add New Bucket or Delete existing bucket.

Step 3. Create on-prem DNS Private Zone

Create a private zone on your on-prem DNS server so that all S3 bucket names resolve to the PrivateS3 private IP address displayed from Step 2 in the field “S3 Bucket FQDN Name Resolution IP”. Note this IP address must be reachable from on-prem either by Direct Connect or VPN over Internet.

Note depending on how application invokes S3 function, for example, by using “wget”, “curl”, “aws s3”, or “aws2 s3”, the generated FQDN name for the S3 object access may be different. There are 3 formats.

  1. Example,
  2. Example,
  3. Example, (apply to us-east-1 region)

You may need to create a private zone for each region and domain name format. For example, create a zone with domain name, another zone with domain name


Use DNS wildcard for record. For example, use * that resolves to an A record that is the private IP address of the PrivateS3 internal NLB.

Step 4. Adding additional Gateways

When you want to scale-out and add more Gateways to the pool, follow these steps

  1. Deploy a new Gateway in a subnet in the same VPC by navigating to Gateway -> New Gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet and Gateway Size. Leave all other fields as default.
  2. Navigate to Security -> Private S3
  3. Choose the initially deployed Gateway from the drop down menu under ‘Gateway name’
  4. Following fields will be automatically populate based on the earlier deployed Gateway in the same VPC: Source CIDR Range, S3 Bucket FQDN Name Resolution IP, NLB DNS, S3 Bucket Name
  5. Click on Attach, which will add this new Gateway as a Target in the correct Target Group for the NLB created.

This completes the configuration needed to add a new Gateway to the pool.