How do I resolve errors that I receive when I create Amazon VPC interface endpoints?

Short description

When you create Amazon VPC interface endpoints, you might receive errors for the following reasons:

• You exceeded the Amazon VPC service quota limit for endpoints.
• The API is throttling.
• The private DNS namespaces overlap.
• You have insufficient AWS Identity and Access Management (IAM) permissions.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Prerequisite: Locate the CreateVpcEndpoint API call in your AWS CloudTrail events.

Troubleshoot interface endpoints that exceed your Amazon VPC service quota

Important: The total number of VPC endpoints in a shared subnet can't exceed the owner's AWS account's quota.

By default, the quota for interface endpoints and Gateway Load Balancer endpoints per VPC is 50. That number includes VPC endpoints that participant accounts create. For more information, see AWS PrivateLink quotas.

You exceeded the Amazon VPC service quota limit for endpoints

If you create more endpoints than your service quota allows, then you might receive the following error in your CloudTrail event:

"errorCode": "Client.VpcEndpointLimitExceeded",

"errorMessage": "Limit of VPC endpoints per VPC exceeded."

To resolve this issue, request a service quota increase.

You created an Amazon VPC endpoint from the participant account in a shared Amazon VPC

Note: Participant accounts can't create interface endpoints in a shared subnet. However, if a participant account configures a supported service in the VPC's shared subnet, then that service creates an interface endpoint in the shared subnet.

If you create an endpoint from the participant AWS account, then the following error occurs:

"errorCode": "Client.UnauthorizedOperation"

"errorMessage": "This operation does not support shared VPCs."

Run the describe-subnets command to verify subnet ownership and check the SubnetArn:

aws ec2 describe-subnets --subnet-ids example-subnet-id

Note: Replace the example-subnet-id with your subnet ID.

To resolve this error, create the endpoint from the Amazon VPC owner account. For more information, see Manage VPC resources.

You created an Amazon VPC endpoint from the owner account with a security group that the participant account owns in a shared Amazon VPC

If you create an endpoint from the owner account with a security group that the participant account owns, then the following error occurs:

"errorCode": "Client.InvalidParameter",

"errorMessage": "You are not authorized to perform CreateNetworkInterface operation. A subnet in this vpc is shared but the provided object is not owned by you"

Run the describe-security-groups command to check the security group's OwnerId:

aws ec2 describe-security-groups --group-id security-group-id

Note: Replace security-group-id with your security group ID.

To resolve this error, use a security group that's owned by the same account as the owner account.

The API is throttling

If your API calls are throttling, then the following error occurs in your CloudTrail event:

"errorCode": "Client.RequestLimitExceeded",

"errorMessage": "Request limit exceeded."

To resolve this error, take the following actions:

• Retry the failed API request with the backoff mechanism.
• Process multiple resources.
• Increase the sleep interval between requests to reduce the request rate.
  Note: It's a best practice to use an increasing or variable sleep interval.

For more information, see Request throttling for the Amazon Elastic Compute Cloud (Amazon EC2) API.

The private DNS namespaces overlap

If your private DNS namespaces overlap, then the follow error occurs in your CloudTrail event:

"errorCode": "Client.InvalidParameter",

"errorMessage": "private-dns-enabled cannot be set because there is already a conflicting DNS domain for in VPC "

The following issues cause this error:

• There's an existing interface endpoint with the private DNS for the same service in the Amazon VPC.
• A private hosted zone with the same service name is associated with the Amazon VPC.

To resolve this error, deactivate PrivateDNSEnabled when you create the endpoint and use the default Amazon VPC endpoint DNS. For Amazon VPCs with private hosted zones that have overlapping namespaces, manually create an ALIAS record with the default Amazon VPC endpoint DNS.

An Amazon Route 53 private hosted zone that's associated with the Amazon VPC can be in a different account. To view details about all private-hosted zone associations, run the list-hosted-zones-by-vpc command:

aws route53 list-hosted-zones-by-vpc --vpc-id example-vpc-ID --vpc-region example-region

Note: Replace example-vpc-ID with your VPC ID and example-region with your AWS Region.

Insufficient IAM permissions

If you have insufficient IAM permissions when you create an Amazon VPC endpoint, then you receive an "AccessDenied" error. To resolve this error, review the permissions on the IAM role that makes the API call. Then, update the IAM role with the required permissions.

Related information

Responsibilities and permissions for owners and participants

Amazon VPC quotas