Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to Send Emails Using SES from AWS Batch with VPC Endpoint (Timeout Issue)

0

I am currently using the AWS SDK for JavaScript (v3) with the following imports: import { SESClient, SendRawEmailCommand } from "@aws-sdk/client-ses";

My use case involves sending emails via AWS SES from an AWS Batch job. Initially, AWS Batch environment used a security group with private egress, and I allowed outbound internet access by adding email.ap-south-1.amazonaws.com to the network firewall rule group. This setup allowed me to send emails successfully.

However, I want to establish a private connection for sending emails, so I configured a VPC endpoint for SES using the com.amazonaws.ap-south-1.email-smtp service. After switching to this setup, my AWS Batch jobs are unable to send emails and are encountering timeout errors.

Here’s what I have tried:

Verified the VPC endpoint is correctly configured for the com.amazonaws.ap-south-1.email-smtp service. Ensured that the AWS Batch job's security group allows access to the VPC endpoint. Confirmed that the VPC endpoint is associated with the correct route tables. Despite these configurations, the timeout error persists. Is there any additional configuration or consideration I might be missing to enable AWS Batch to send emails through the SES VPC endpoint?

Error as a result of sending email from aws batch: { "Req ID": "6789f63459a75b6eaac2dd60", "Action": "SendRawEmailCommand", "Error": { "code": "ETIMEDOUT", "name": "TimeoutError", "$metadata": { "attempts": 3, "totalRetryDelay": 255 } }, "Error Msg": "" }

Any insights or recommendations would be greatly appreciated!

Topics
Front-End Web & MobileBusiness ApplicationsComputeNetworking & Content Delivery
Tags
Amazon Simple Email ServiceAWS PrivateLinkNetworking & Content DeliveryAWS Batch
Language
English
asked 10 months ago254 views
2 Answers
1

Hi,

I would strongly suggest that you read this blog post about sending emails with SES VPC endpoint: https://aws.amazon.com/blogs/aws/new-amazon-simple-email-service-ses-for-vpc-endpoints/

It will allow you to verify that your setup is correct.

In particular, note in final verification section that dns used to send email remains identical to SES with public endpoint:

openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.ap-southeast-2.amazonaws.com:587

I would strongly encourage you to test the vpc endpoint via a temporary EC2 instance in your VPC that you'll use to do the final verification section with openssl in your context.

Best,

Didier

EXPERT
answered 10 months ago
EXPERT
reviewed 10 months ago
0

Based on the information provided, it appears you're encountering a common issue when trying to send emails using Amazon SES through a VPC endpoint from an AWS Batch job. Here are some additional steps and considerations to help resolve the timeout error:

  1. Double-check the security group settings:

    • Ensure that the security group associated with your VPC endpoint allows inbound traffic on port 587 (for STARTTLS) or 465 (for TLS Wrapper) from the security group used by your AWS Batch jobs.
    • Verify that the security group for your AWS Batch jobs allows outbound traffic to the VPC endpoint on the same ports.

  2. Review the VPC endpoint policy:

    • Make sure the VPC endpoint policy allows the necessary SES actions, such as "ses:SendRawEmail" and "ses:SendEmail".

  3. Check the AWS Batch job IAM role:

    • Confirm that the IAM role associated with your AWS Batch job has the necessary permissions to use SES, including "ses:SendRawEmail" and "ses:SendEmail" actions.

  4. Verify DNS settings:

    • Ensure that DNS hostnames and DNS resolution are enabled for your VPC.

  5. Use the correct endpoint:

    • When using a VPC endpoint, you may need to use a different endpoint URL. Instead of "email-smtp.ap-south-1.amazonaws.com", try using the VPC endpoint DNS name, which should look something like "vpce-xxxxxxxx.email-smtp.ap-south-1.vpce.amazonaws.com".

  6. Implement retry logic:

    • Consider implementing an exponential backoff retry strategy in your code to handle transient network issues.

  7. Check for MTU issues:

    • In some cases, MTU (Maximum Transmission Unit) size mismatches can cause connectivity problems. You might need to adjust the MTU size on your network interfaces.

  8. Test connectivity:

    • If possible, try running a simple connectivity test from within your AWS Batch environment to the SES SMTP endpoint using tools like telnet or openssl.

  9. Consider using the SES API instead of SMTP:

    • If the SMTP interface continues to cause issues, you might want to switch to using the SES API directly, which could potentially bypass some of the networking complexities.

If after trying these steps you're still experiencing issues, it may be worth reaching out to AWS Support for further assistance, as they can provide more detailed, account-specific troubleshooting.

Sources
Issue sending emails from private subnet to SES through a VPC Endpoint on AWS Batch Job using Fargate | AWS re:Post
sending email from lambda function within private subnet in vpc | AWS re:Post
Amazon SES SMTP issues - Amazon Simple Email Service

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content