How do I resolve errors that I receive when I create Amazon VPC interface endpoints?

Short description

When you create Amazon VPC interface endpoints, you might receive errors for the following reasons:

• You created interface endpoints in a shared Amazon VPC.
• The API is throttling.
• You exceeded the Amazon VPC service quota limit for endpoints.
• The private DNS namespaces overlap.
• You have insufficient AWS Identity and Access Management (IAM) permissions.

Note: Before you begin, make sure that you locate the CreateVpcEndpoint API call in your AWS CloudTrail events.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

You created interface endpoints in a shared Amazon VPC

You created an Amazon VPC endpoint from the participant account

If you create an endpoint from the participant AWS account, then the following error occurs:

"errorCode": "Client.UnauthorizedOperation"
"errorMessage": "This operation does not support shared VPCs."

Run the describe-subnets command to verify subnet ownership and check the SubnetArn:

$ aws ec2 describe-subnets --subnet-ids <example-subnet-id>

Note: Replace the example-subnet-id with your subnet ID.

You can't create Amazon VPC interface endpoints from a participant account. To resolve this error, create the endpoint from the Amazon VPC owner account. For more information, see Manage VPC resources.

You created an Amazon VPC endpoint from the owner account with a security group that the participant account owns

If you create an endpoint from the owner account with a security group that the participant account owns, then the following error occurs:

"errorCode": "Client.InvalidParameter",
"errorMessage": "You are not authorized to perform CreateNetworkInterface operation. A subnet in this vpc is shared but the provided object is not owned by you"

Run the describe-security-groups command to check the OwnerId of the security group:

$ aws ec2 describe-security-groups --group-id <security-group-id>

Note: Replace security-group-id with your security group ID.

To resolve this error, use a security group that's owned by the same account as the owner account.

The API is throttling

If your API calls are throttling, then the following error occurs in your CloudTrail event:

"errorCode": "Client.RequestLimitExceeded",
"errorMessage": "Request limit exceeded."

To resolve this error, complete the following steps:

• Retry the failed API request with the backoff mechanism.
• Process multiple resources.
• Use an appropriate sleep interval between requests to reduce the request rate. It's a best practice to use an increasing or variable sleep interval.

For more information, see Request throttling for the Amazon Elastic Compute Cloud (Amazon EC2) API.

You exceeded the Amazon VPC service quota limit for endpoints

If you exceed your service quota limit, then the following error occurs in your CloudTrail event:

"errorCode": "Client.VpcEndpointLimitExceeded",
"errorMessage": "Limit of <example-limit> VPC endpoints per VPC exceeded."

This error occurs when you create an endpoint in a shared Amazon VPC. The Amazon VPC quota for endpoints is a shared quota between all participant accounts. When the owner account exceeds the endpoint quota limit, you can't create additional endpoints. To resolve this issue, request a service quota increase. For more information, see AWS service quotas.

The private DNS namespaces overlap

If your private DNS namespaces overlap, then the follow error occurs in your CloudTrail event:

"errorCode": "Client.InvalidParameter",
"errorMessage": "private-dns-enabled cannot be set because there is already a conflicting DNS domain for <endpoint-dns> in VPC <example-vpc-id>”

This error occurs for the following reasons:

• There's an existing interface endpoint with the private DNS for the same service in the Amazon VPC.
• A private hosted zone with the same service name is associated with the Amazon VPC.

To resolve this error, turn off PrivateDNSEnabled when you create the endpoint and use the default Amazon VPC endpoint DNS. For Amazon VPCs with private hosted zones that have overlapping namespaces, manually create an ALIAS record with the default Amazon VPC endpoint DNS.

An Amazon Route 53 private hosted zone that's associated with the Amazon VPC can be in a different account. To get details about all private hosted zone associations, run the list-hosted-zones-by-vpc command:

$ aws route53 list-hosted-zones-by-vpc --vpc-id <example-vpc-ID> --vpc-region <example-Region>

Note: Replace example-vpc-ID with your VPC ID and example-Region with your AWS Region

Insufficient IAM permissions

If you have insufficient IAM permissions when you create an Amazon VPC endpoint, then an AccessDenied error occurs. To resolve this error, review the permissions on the IAM role that's making the API call and update the role with the required permissions.