Deprecated : The preferred way is to use S3 Private Link instead of a S3 proxy, see Media Traffic Isolation

Media Traffic Isolation using an S3 proxy (DEPRECATED)

Disclaimer : This documentation is provided solely as an example. It explains how to set up your ShotGrid Isolation environment so that it can be connected to ShotGrid cloud infrastructure. Please adapt it to your studio security requirements as needed. As ShotGrid has no visibility on your AWS Account, ensuring that this account is secure is a client responsibility.

The media traffic isolation feature allows your users to access media in your AWS S3 bucket privately (not transiting over the public Internet). Please note that if you have a multi-region setup and that leverages the ShotGrid Transcoding service there may still be instances where media transits across the public Internet. Reach out to our support team for more details.

Media Isolation activation is a pre-requisite to enable this feature. If you haven’t done so already, see Media Isolation.

Set up a VPC in your S3 bucket AWS region

Disclaimer : Before starting, decide whether your S3 proxy will be privately accessible within your VPC or publicly accessible via the Internet and choose the relevant templates in the following instructions.

You will need to deploy a VPC with the required VPC endpoints. We provide both private VPC and public VPC CloudFormation templates as starting points. These template create the necessary VPCs, subnets and VPC endpoints.

Set up access from your site network to your AWS VPC

Options provided by AWS:

Note : If Direct Connect is chosen, we recommend testing with a simpler / faster solution in the meantime to validate your Isolation setup. You can then replace that solution with Direct Connect once it is available.

Add an S3 endpoint to your VPC

Note : This step should only be performed if the CloudFormation template was not used when configuring Media Isolation.

Add endpoint Add endpoint Add endpoint

Set up S3 proxy

You will need to deploy an S3 proxy in your VPC to forward traffic to the S3 VPC endpoint. We provide both private and public S3 proxy CloudFormation templates as starting points for this purpose. These will create the necessary Elastic Container Service (ECS) cluster and other resources to run the S3 proxy on AWS Fargate behind an AWS Application Load Balancer (ALB).

Make the Docker image available from a private AWS ECR repository

  • Create a new Elastic Container Registry (ECR) repository
  • Name the repository s3-proxy
  • Upload the s3-proxy Docker image to the newly created ECR repository
    • Install Docker on your workstation
    • Follow the docker login instructions shown by clicking the View push commands button
    • Run the following commands, substituting the ECR endpoint in the example for yours:
      docker pull
      docker tag
      docker push

Create S3 proxy CloudFormation stack

Create a new stack in AWS Console using either the private or public CloudFormation template.

Configure HTTPS

ShotGrid requires that the S3 proxy be accessed via HTTPS, therefore the AWS ALB handling requests for your newly created S3 proxy stack must be configured to accept HTTPS requests.

  • Create a DNS entry pointing to your S3 proxy, depending upon whether public or private
    • Private S3 proxy (default):
      • Go to the EC2 Load Balancers dashboard, select your S3 proxy’s ALB and make a note of the DNS name
      • Add a DNS CNAME record pointing to the DNS name of the ALB Eg. 300 IN CNAME
    • Public S3 proxy:
      • Go to the AWS Global Accelerator dashboard and make a note of the DNS name associated with your S3 proxy’s accelerator
      • Add a DNS CNAME record pointing to the DNS name of the Global Accelerator Eg. 300 IN CNAME
  • Obtain an SSL certificate for your chosen URL, we recommend using AWS Certificate Manager (ACM) for this
  • Configure HTTPS for the S3 proxy by adding a new HTTPS listener to the AWS ALB
    • Go to the EC2 Load Balancers dashboard, select your S3 proxy’s ALB and click on the Listeners tab
    • Click Add listener
    • Select HTTPS from the Protocol dropdown menu
    • Click Add action -> Forward to…
    • Select your S3 proxy’s target group from the Target group dropdown menu
    • Select the Security policy you’d like to use. Eg. TLS-1-2-Ext-2018-06 (See AWS documentation for more information)
    • Select the SSL certificate you’d like to use from ACM or import a new certificate
    • Click Save

Add S3 proxy VPC to S3 bucket policy

In order for the S3 proxy to communicate with your S3 bucket your bucket policy must allow access from the S3 proxy’s VPC. You can find instructions on how to configure the policy in the Fine Tuning step.


Test the S3 proxy

Try to access your S3 proxy using the ping route. Eg.

Configure your test site to use the S3 proxy

  • Navigate to the Site Preferences menu within ShotGrid and expand the Isolation section
  • Set S3 Proxy Host Address to the S3 proxy url. Eg. then click Save changes
  • Confirm that you are still able to access existing media
  • Attempt to upload new media

Next Steps

See Media Replication to activate the Media Replicaton Traffic Isolation feature.

Go to Setup for an overview of the possible next steps.

Edit this document