assume the following VPC structure
- VPC
DNS resolution and DNS hostnames enabled.
- subnet1
- ec2-1
- subnet2
- ec2-2
- S3 VPC interface endpoint. Private DNS names for the endpoint is enabled.
- subnet1
Note
- subnet1 and subnet2 are isolated and and ec2-1 and ec2-2 can’t talk with each other.
- ec2-1 and ec2-2 resolves the same DNS hostnames because the VPC and VPC S3 endpoint configurations.
Because ec2-1 and ec2-2 both are using the same DNS(route53), they both resolve to the correct ip for the s3 vpce. this can be understood (and documented). The thing that is not entirely clear is why ec2-1 can use the s3 VPCE if it does not reside within it's subnet.
running the following command for work from both ec2-1, ec2-2
[ec2-user@ip-10-0-111-15 ~]$ aws s3 ls
<works...>
I mean, in network perspective, s3 VPCE is just an ENI on your network that forwards requests to the s3 service by using AWS private link network. how does that specific ENI is seems to be special and is accessible from any ec2 from any subnet? (in this example ec2-1 from subnet can access an eni attached to subnet2 which he should not have access to.
It appears that ENIs related to VPC endpoints operate at a special level and at a lower level than standard route tables. I've also found some statements that support the claim that AWS has a mechanism that intercepts S3 traffic and routes it to the endpoint ENI, even if the default route points elsewhere. I'm looking for clear evidence from the AWS docs that supports or rejects this claim.
a clear explanation and reference to the docs would be very welcomed.
(this question does not answer my question. it's a shallow explanation which does not explain the behavior from network perspective)