2

I'm creating the VPC for an social networking app I'm working on and am somewhat confused when it comes to public and private data.

My question is should I add public or private (or both) s3 endpoints to my subnets and why? What information should be public, what should be private? The app is a lot like facebook and users will be signing in to profiles and posting text and media posts all with a customizable privacy settings.

thesowismine
  • 762
  • 1
  • 6
  • 16

1 Answers1

4

S3 endpoints in VPC serve only one purpose: they manipulate your VPC route tables and modify the way your EC2 instances' internal traffic is routed to S3.

They have no direct impact on Internet access to S3, nor to the public/private classification of data, and are not needed in order to use S3. S3 works fundamentally the same with or without them. Unless you have some strict compliance requirements that constrain your deployment, or an unusual network topology, or you have an extreme amount of traffic between your EC2 instances and S3, they aren't something you probably need.

As a new user, your best move is probably not to set them up, since it's potentially one more detail you don't need to deal with. At some point, you may find a reason why you'd want to add them, but for now, I wouldn't.

Regarding public vs private subnets I'm VPC, (unrelated to S3 endpoints), see Why do we need private subnet in VPC? For an explanation.

Community
  • 1
  • 1
Michael - sqlbot
  • 139,456
  • 21
  • 252
  • 328
  • Thanks @Michael - sqlbot! (did that name tag work with spaces?) That makes a lot of sense. What would you consider an "extreme amount of traffic" between EC2 and S3? Users on my site will frequently be playing, downloading, and uploading audio. Would a site like youtube make use of the endpoints to access its videos? – thesowismine Jul 09 '15 at 07:11
  • @thesowismine the only traffic that uses an S3 VPC endpoint is to/from your server instances *only*. The thing is, S3 is already connected to the Internet, and front-ended by its own web server farm, so your users' requests *can* go *directly* from browser to S3 (vs. browser to your server to S3), even in cases where you don't want the content to be public, using "pre-signed URLs" and other mechanisms. Direct browser/S3 interaction would not use the S3 VPC endpoint, even if you had one. A site like YouTube, probably not... and for something like that, see also Amazon CloudFront. – Michael - sqlbot Jul 09 '15 at 08:26
  • Also, remove spaces when name-tagging people with spaces in their names. – Michael - sqlbot Jul 09 '15 at 08:27