AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

How can we confirm traffic is going through VPC Endpoint?

When adding a VPC endpoint for an AWS service how can we confirm that the service traffic is actually traveling over the VPC endpoint and not through the Internet Gateway?

2 Answers

One way would be to  check the associated cloudwatch logs (BytesOutToDestination, BytesOutToSource, BytesInFromDestination, and BytesInFromSource metrics).

For services where a resource policy can be added, then the resource policy can have a Condition statement to ensure that the aws:SourceVpce (i.e. VPC Endpoint ID) is present and is the correct VPC ID (i.e. connection isn’t coming from another VPC Endpoint). See for an example. Essentially, the policy has to contain something like:

       "Condition": {
            "StringNotEquals": {
                 "aws:SourceVpce": "vpce-1a2b3c4d"

Adding such a policy to a bucket would ensure that access to that bucket is only possible over the VPC Endpoint.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?