One of my clients has a strict restriction on routing internet traffic, requiring us to route out of AWS and through their on-premises firewall hardware. This restriction means no Internet Gateway on the VPC, which also means transfers to S3 have to go from AWS, to their on-premises network and back out to AWS over the internet; not ideal for large scale migrations.
True, you could send those images to S3 right from your on-prem network, but:
- What's the fun in that?
- You're sending those precious machine images over the wide-open internet.
- Something about guaranteed network speed, but it's hard to tell.
Lucky for us, AWS recently announced VPC Endpoints, a special routing destination that let's you send S3 traffic over AWS' private network and even control bucket access via IAM policies. All very cool.
For this client, we were able to setup an Endpoint for the migration of their VMware instances into AWS. Our team configured an admin box in our VPC with an upload/conversion PowerShell script to pull the OVA files out of vCenter and push them into S3.
Thanks to the new routing trick, we're no longer subject to exposing the OVA to the wide-open web while maintaining a consistent upload speed. When combining this with a Direct Connect, you can create a pretty impressive migration process that moves data transfers along at lightning speeds.