By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to communicate with S3 from EC2 without incurring data transfer charges via IPv6?

0

Since AWS has started charging for public IPv4 addresses, hence it has become a necessity to adopt IPv6. But a huge issue is the data transfer cost that comes with it, when communicating with S3. When using IPv4, we could create a Gateway Endpoint and the traffic would go via internal AWS network, which did not cost us data transfer charges. But the limitation with Gateway endpoints is that they do not support IPv6 traffic, hence connection to S3 will use public internet and we would be charged for it. Is there any solution to this problem?

  • Oleksii Bebych EXPERT
    2 months ago

    please accept the answer if it was useful

Topics
StorageNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAmazon VPCStorageIPv6
Language
English
soumikdey
asked 2 months ago733 views
3 Answers
0

it has become a necessity to adopt IPv6 IPv4 is not very expensive (~3$ per month per public IP), so it's up to you either to adopt IPv6. Private IPs are free. You can use VPC endpoints to communicate with the S3 service via Private network.

without incurring data transfer charges via IPv6 traffic itself will cost some money and does not matter what you use, IPv4 or IPv6. If you mean charges for public IPv4 addresses, you can use private

profile picture
EXPERT
Oleksii Bebych
answered 2 months ago
profile pictureAWS
EXPERT
AWS-User-alantam
reviewed 2 months ago
  • soumikdey
    2 months ago

    1. We have 500+ ec2 instances which have public ipv4 attached to them. So the cost of public IPv4 becomes significantly high.

    2. Previously when we were using IPv4, we had S3 Gateway Endpoint in place. So we are not billed for the data transfer cost. Now Gateway Endpoint only supports IPv4.

    Is there any way to solve this?

  • Oleksii Bebych EXPERT
    2 months ago

    what is the reason of having 500+ instances with Public IPs ? Can they be put behind Public Load Balancer ? Outbound traffic can go via NAT Gateway

0

Hello,

You can make requests to Amazon S3 over IPv6 which supports dual stack configuration. There's no additional charges for accessing Amazon S3 over IPv6 but will incur charges for data transfer.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/ipv6-access.html

profile picture
EXPERT
Sivaraman Selvam
answered 2 months ago
  • Leo K EXPERT
    2 months ago

    No, traffic between an EC2 instance and an S3 bucket in the same region doesn't incur data transfer costs.

  • soumikdey
    2 months ago

    Yes, So either way we would be charged for the IPv6 traffic. If we use dualstack endpoint then we would be charged for S3 data transfer as per my understanding right?

0

As stated on the pricing page for S3, https://aws.amazon.com/s3/pricing/, on the Data transfer tab, and in the EC2 pricing FAQ, https://aws.amazon.com/ec2/pricing/on-demand/#Data_Transfer_within_the_same_AWS_Region, direct communication between an EC2 instance and an S3 bucket in the same region is free.

"Direct communication" means that there are no components in between that charge for traffic passing through them. For IPv4, typical such components would include NAT gateways and VPC interface endpoints, which always involve a per-gigabyte traffic charge.

For IPv6, you can route traffic through an egress-only internet gateway. It functions similarly to a NAT gateway in that it only allows connections initiated from inside the VPC, but it doesn't translate addresses and therefore doesn't involve a data processing charge. This is stated also explicitly in the pricing section of this documentation page: https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

If you also need inbound connectivity to your instances, you can also route traffic between your IPv6 instances and the internet through a regular internet gateway, which also doesn't charge for traffic passing through it.

You should note that a variety of AWS services don't yet support IPv6, including DynamoDB and Kinesis as examples (https://docs.aws.amazon.com/vpc/latest/userguide/aws-ipv6-support.html). As Oleksii Bebych advised, you can configure your EC2 instances with dual-stack networking, with both IPv6 IPs and private IPv4 addresses within your VPC. That would allow you to continue to use the VPC gateway endpoint to connect to S3 and DynamoDB over private IPv4 networking as you're used to, but still have the option of creating a NAT gateway (with one chargeable public IPv4 IP on it) if you need to connect to those services in AWS and elsewhere that are only available over IPv4.

EXPERT
Leo K
answered 2 months ago
  • soumikdey
    2 months ago

    We currently have the EC2 setup in dualstack mode. Currently when it is trying to use IPv4 for the S3 communication, then its translating it via NAT64, since IPv6 precides over IPv4, and hence we are incurring huge NAT costs. Alternative solution is we use S3 dualstack endpoints as suggested here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ipv6-access.html. But this would then send the traffic over Internet Gateway, bypassing the S3 Gateway Endpoint in place and hence will start incurring S3 transfer charges. Kindly confirm if my understanding is correct.

  • Leo K EXPERT
    2 months ago

    @soumikdey Check a) that your S3 bucket is in the same region as the EC2 instances, b) that you have a VPC gateway endpoint (not interface endpoint) in your VPC for S3, and c) that there is a route towards S3's VPC gateway endpoint from the route tables of all the subnets where you have EC2 instances. When all three conditions are true, all IPv4 traffic to all S3 buckets in the region will go through the VPC gateway endpoint with zero traffic processing costs. For IPv6, the egress-only IGW and IPv6 default route discussed earlier will have zero traffic cost for S3 in the region.

Relevant content