Here is a scenario –
What do you think? Thanks.
As Tom says above, I’m curious where you might have come across this scenario. If it’s from an exam question dump, it’s kind of a strange question…lots of times the authors of those questions just pile together words.
On the surface, if we are forbidden from having traffic move on the internet, that rules out #2 because a Public Virtual Interface allows Direct Connect users to access the public side of AWS services using the public IPs.
On the other hand, Option 1 has these EC2 proxies which just does not make sense either.
My reason for asking where the scenarios come from is that if it’s from an official exam or even an exam dump then it’s in violation of the AWS terms of agreement for the AWS exams to post the scenario like this.
As Scott notes, Option 2 can be ruled out based on using the Public Virtual Interface.
Option 1 is actually the proper way to do this, and requires the use of EC2 proxies. S3 VPC Endpoints are of the Gateway variety, not the Interface variety. Since transitive routing is not supported there needs to be a proxy in the VPC to redirect the Direct Connect traffic to the S3 Gateway.
There is plenty of documentation on Direct connect and VIFs, you just have to look for it 😉
For instance this was the top of the list when I googled: AWS public VIF
Start by reading the AWS doco or free Kindle Book on Direct Connect, then take a look at some of the implementation scenarios.
Also google: AWS Direct Connect public vif diagram image
Then take some time to draw it out on some paper. so that you have a solid understanding of how the elements fit
Moderator & Coach