diff --git a/glue_job.tf b/glue_job.tf
index b829fbe..dbb96c5 100644
--- a/glue_job.tf
+++ b/glue_job.tf
@@ -123,13 +123,10 @@ resource "aws_glue_connection" "redshift_connection" {
     JDBC_ENFORCE_SSL    = false
   }
 
-  dynamic "physical_connection_requirements" {
-    for_each = var.glue_physical_connection_requirements == null ? [] : list(var.glue_physical_connection_requirements)
-    content {
-      availability_zone = physical_connection_requirements.value.availability_zone
-      security_group_id_list = physical_connection_requirements.value.security_group_id_list
-      subnet_id = physical_connection_requirements.value.subnet_id
-    }
+  physical_connection_requirements {
+    availability_zone = var.glue_physical_connection_requirements.availability_zone
+    security_group_id_list = var.glue_physical_connection_requirements.security_group_id_list
+    subnet_id = var.glue_physical_connection_requirements.subnet_id
   }
 }
 
@@ -249,3 +246,14 @@ resource "aws_cloudwatch_event_target" "notify_failed_glue_job" {
   target_id = "notify-failed-glue-job-run"
   arn       = aws_sns_topic.glue_job_failure.arn
 }
+
+
+data "aws_vpc" "main" {
+  id = var.vpc_id
+}
+
+# Glue jobs require a VPC endpoint for connecting to S3
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id       = data.aws_vpc.main.id
+  service_name = "com.amazonaws.${var.aws_region}.s3"
+}
diff --git a/variables.tf b/variables.tf
index af2f0f5..6bd729f 100644
--- a/variables.tf
+++ b/variables.tf
@@ -109,5 +109,9 @@ variable "lambda_loader_security_group_ids" {
 variable "glue_physical_connection_requirements" {
   type = object({ availability_zone=string, subnet_id=string, security_group_id_list=list(string) })
   description = "A terraform map of the physical_connection_requirements property of the glue redshift connection. See Terraform aws_glue_connection docs."
-  default = null
+}
+
+variable "vpc_id" {
+  type = string
+  description = "The ID of the VPC Glue uses for connecting with Redshift"
 }