AWS S3作为非结构化数据的存储，经常会有内网中的app调用的需求。S3默认是走公网访问的，如果内网app通过公网地址访问S3并获取数据会消耗公网带宽费用。如下图所示：

AWS 提供了一种叫做endpoints的资源，这种资源可以后挂S3服务，使得内网服务可以不出公网访问S3.

VPC endpoints for Amazon S3 simplify access to S3 from within a VPC by providing configurable and highly reliable secure connections to S3 that do not require an internet gateway or Network Address Translation (NAT) device. When you create a S3 VPC endpoint, you can attach an endpoint policy to it that controls access to Amazon S3.

创建endpoints时，如果是S3，需选择gateway类型。

There are three types of VPC endpoints – Interface endpoints, Gateway Load Balancer endpoints, and Gateway endpoints. Interface endpoints and Gateway Load Balancer endpoints are powered by AWS PrivateLink, and use an Elastic Network Interface (ENI) as an entry point for traffic destined to the service. Interface endpoints are typically accessed using the public or private DNS name associated with the service, while Gateway endpoints and Gateway Load Balancer endpoints serve as a target for a route in your route table for traffic destined for the service.

创建完成后（按需配置VPC，route table等），即可使用https://{{bucket-name}}.s3.ap-southeast-1.amazonaws.com通过aws内网（骨干网）访问S3了。

图片参考：https://www.youtube.com/watch?v=jo3X_aay4Vs