Using the AWS PrivateS3 Feature
Launching an Aviatrix Gateway
Go to Gateway > New Gateway to launch an Aviatrix Gateway. Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet, and Gateway Size. Leave all other fields as default.
Select the region where you want the S3 buckets to be explicitly allowed or denied access through PrivateS3.
Creating Access Accounts
PrivateS3 automatically scans the S3 buckets owned by the Access Accounts. Create one Access Account if you have not done so.
Enabling/Updating PrivateS3
If you don’t see the gateway you just launched, refresh the browser. |
Each AWS S3 bucket has a unique FQDN name. For example, if a full URL to access a file in S3 is https://avx-backup.s3-us-west-2.amazonaws.com/init.txt, then the bucket’s FQDN name is either avx-backup.s3-us-west-2.amazonaws.com or avx-backup.s3.us-west-2.amazonaws.com.
Setting | Value |
---|---|
Gateway Name |
Select a gateway launched in the previous step for PrivateS3 service. |
Source CIDR Range |
This field represents a scope of on-prem network address range. It is used to check if the PrivateS3 filtering function should be applied for a given packet source IP address. This address range does not need to be precise. Enter a summary list of the on-prem network address range separated by comma. For example, 10.0.0.0/8. |
Access Accounts |
You can select multiple accounts and move them to the right panel. The Controller scans the S3 of the selected accounts every 30 minutes to discover any new S3 buckets. |
Click Enable. If PrivateS3 has been enabled, use this step to update changes in Source CIDR Range or Access Accounts.
Once PrivateS3 is enabled, Controller creates an AWS NLB and attaches the PrivateS3 gateway to it. The NLB serves as load balancer to forward S3 HTTPS requests to the gateways.
Once PrivateS3 is enabled, you can repeat the previous steps to create more Aviatrix Gateways in the same VPC and attach them to the NLB.
Once PrivateS3 is enabled on the selected accounts, the Controller scans every 30 minutes for S3 buckets of the selected accounts in the region where the Aviatrix PrivateS3 gateway is deployed.
When new S3 buckets are discovered, an email is sent to the Controller admin. The admin should log in to the Controller, and go to Security > PrivateS3 > Step 4 to take actions on the new buckets. The actions are Allow or Deny.
Updating S3 Bucket Policy
Filter on S3 buckets with policy New. Change it to either Allow or Deny.
You can change all buckets to Allow All or Deny All.
Viewing/Deleting PrivateS3
When PrivateS3 is enabled, the Aviatrix Controller creates an AWS Network Load Balancer (NLB) and attaches an Aviatrix gateway to it. More Aviatrix Gateways can be launched and attached to this NLB. The NLB front ends the pool of Aviatrix gateways and distributes S3-related HTTPS requests to the attached gateways.
The View displays relevant data for troubleshooting and visibility.
Setting | Value |
---|---|
PrivateS3 NLB Name |
AWS NLB created by the Aviatrix Controller when PrivateS3 is enabled. |
NLB Status |
The status of the NLB created Aviatrix Controller. |
PrivateS3 |
True/False to indicate if PrivateS3 is enabled or not. |
Region |
AWS region where PrivateS3 gateways are launched. |
PrivateS3 DNS Name Resolution IP |
This filed displays the AWS internal NLB private IP address created by the Controller AFTER you complete this step of attaching the bucket URL to the FIRST gateway. It will take some time while the NLB is created. If you are repeating this step for additional gateways, the NLB IP should be auto-populated when you choose the first gateway that the URL was attached to. Use the displayed IP address for your on-prem DNS configuration in the next step. |
PrivateS3 DNS Name |
This field displays the DNS name of the NLB created by Aviatrix Controller for the PrivateS3 function. |
Additional Configuration 1: Create an On-Prem DNS Private Zone
Create a private zone on your on-prem DNS server so that all S3 bucket names resolve to the PrivateS3 private IP address displayed from Step 2 in the "S3 Bucket FQDN Name Resolution IP" field. This IP address must be reachable from on-prem either by Direct Connect or VPN over Internet.
Depending on how application invokes S3 function, for example, by using "wget", "curl", "aws s3", or "aws2 s3", the generated FQDN name for the S3 object access may be different. There are three formats.
-
bucket-name.s3.region.amazonaws.com. Example, business-owner-bucket.s3.us-west-2.amazonaws.com
-
bucket-name.s3-region.amazonaws.com. Example, business-owner-bucket.s3-us-west-2.amazonaws.com
-
bucket-name.s3.amazonaws.com. Example, business-owner-bucket.s3.amazonaws.com (apply to us-east-1 region)
You may need to create a private zone for each region and domain name format. For example, create a zone with domain name s3.us-west-2.amazonaws.com, another zone with domain name s3-us-west-2.amazonaws.com.
You ca use DNS wildcards for the records. For example, use *.s3.us-west-2.amazonaws.com that resolves to an A record that is the private IP address of the PrivateS3 internal NLB. |
Additional Configuration 2: S3 Endpoint
PrivateS3 does not require a S3 endpoint, however, S3 endpoints in the VPC where PrivateS3 gateways are deployed helps forwarding traffic to S3 services without routing through the Internet. Configuring an S3 endpoint is outside the scope of the PrivateS3 workflow. Log into the AWS Console to create an S3 endpoint.
Adding PrivateS3 Gateways
When you want to scale-out and add more gateways to the pool, follow these steps.
-
Deploy a new gateway in a subnet in the same VPC by navigating to Gateway > New Gateway.
-
Specify the Gateway Name, Access Account Name, Region, VPC ID, Public Subnet, and Gateway Size. Leave all other fields as default.
-
Navigate to Security > Private S3 and choose the initially deployed gateway from the dropdown menu under the Gateway name.
-
The following fields will automatically populate based on the earlier deployed Gateway in the same VPC: Source CIDR Range, S3 Bucket FQDN Name Resolution IP, NLB DNS, S3 Bucket Name.
-
Click Attach, which will add this new gateway as a Target in the correct Target Group for the NLB created.
This completes the configuration needed to add a new gateway to the pool.
This short Aviatrix blog post provides more information on privateS3.