When adding a VPC endpoint for an AWS service how can we confirm that the service traffic is actually traveling over the VPC endpoint and not through the Internet Gateway?
2 Answers
One way would be to check the associated cloudwatch logs (BytesOutToDestination, BytesOutToSource, BytesInFromDestination, and BytesInFromSource metrics).
For services where a resource policy can be added, then the resource policy can have a Condition statement to ensure that the aws:SourceVpce (i.e. VPC Endpoint ID) is present and is the correct VPC ID (i.e. connection isn’t coming from another VPC Endpoint). See https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html for an example. Essentially, the policy has to contain something like:
"Condition": {
"StringNotEquals": {
"aws:SourceVpce": "vpce-1a2b3c4d"
}
}Adding such a policy to a bucket would ensure that access to that bucket is only possible over the VPC Endpoint.