- Newest
- Most votes
- Most comments
When you invoke an AWS Service, under the covers it's via an AWS Query API call to the service's domain name. This is a public domain name that normally resolves to a public IP address, but a Private Hosted Zone (PHZ) for the Endpoint is used to override the domain name so it resolves to the private IP address of the Endpoint instead. Assuming you're accessing the VPCE from the same VPC as it's in, you need to set PrivateDnsEnabled=true for the VPC Endpoint when you create it, which sets up an AWS-managed PHZ associated with the VPC. If on the other hand you're going cross-VPC then set PrivateDnsEnabled=false and create a self-managed PHZ that can be shared across VPCs & Accounts, and ensure network connectivity is in place. See https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ for more info.
Relevant content
- Accepted Answerasked 6 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
Both VPCEs (the Cloudwatch monitoring and the EC2 services) are set to PrivateDnsEnabled=true. The issue comes in when the CW agent configuration has the optional append_dimensions and aggregation_dimensions settings in the metrics section of the JSON file. Those 2 use ec2tagger / ec2 metadata "Unable to describe ec2 tags for initial retrieval: RequestError: send request failed caused by: Post "https://ec2.us-gov-west-1.amazonaws.com/": dial tcp xx.xx.xxx.xx:443: i/o timeout (It uses the public service endpoint, not the VPC endpoint that I set up for EC2 services) I was wondering if there was an additional setting that can be used in the CW agent config that points this query to the VPCE. But maybe something is missing in the set up of the EC2 metadata ( (IMDSv1) .