By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to connect EC2 (with load balancer) to DynamoDB and SNS?

1

Hi everyone,

I just developed my own django app, in which I use AWS SDK boto3 to use DynamoDB and SNS in my code. Everything worked well on my local machine. I then deployed my app on AWS and my app is running well.

On my web browser, I access my app and when I perform operations that triggers DynamoDB and SNS services, then the app crashed with Internal Server Error(500).

I read some AWS documentation and it says that by default DynamoDB is communicated via HTTPS via internet.

I tried to add inbound rules to my EC2 with a hope to connect to DynamoDB, unfortunately it didn't work.

I would like to ask how we can set up connection between my EC2 and DynamoDB and SNS? I don't need VPC Endpoint, I just need a connection via Internet.

Do I add inbound rules on my EC2's sescurity group, public subnet route table?

OR

I need to add inbound rules on the load balancer?

Thanks a lot for your help

Topics
Networking & Content DeliveryComputeDatabaseApplication Integration
Tags
Amazon VPCAmazon EC2Amazon DynamoDBAmazon Simple Notification Service (SNS)Application Load Balancer
Language
English
cloud9
asked a year ago333 views
2 Answers
1

Hi - Have you assigned any roles to your instance to talk to DynamoDB/SNS. For best security efforts use IAM roles. boto3 driver should automatically consume IAM role if it is attached to the instance.

profile pictureAWS
EXPERT
AWS-User-Nitin
answered a year ago
  • cloud9
    a year ago

    Hi Nitin, thanks a lot for your answer, I assigned an IAM role to my EC2 instance with full access to DynamoDB and SNS. I also added inbound rule to my EC2 instance from source HTTPS (DynamoDB) but it doesn't work. The public subnet that EC2 is located in also route to 0.0.0.0/0 destination.

    There is one little thing I am still suspicious. My boto3 code doesn't include AWS credentials. On my local machine, with my AWS Configure, boto3 can call AWS API. But as an image running on EC2, maybe I have to include AWS credentials and region to make a request to DynamoDB and SNS?

  • Brettski-AWS EXPERT
    a year ago

    All instances can automatically get credentials from the Instance Metadata Service. The scope of the credentials is based on the IAM role that you have assigned to the instance. boto3 (and other AWS-supplied SDKs) automatically query IMDS to get credentials for you - no effort required by you.

1

Your instance will need to communicate with the public endpoints for DynamoDB and SNS. To do this you'll need one of two things:

  • Each instance will need an Elastic (public) IP - I don't recommend this but it will work.
  • Create a NAT Gateway; host the instances on a private subnet that has a route to the internet via NAT Gateway. Instructions for setting this up are here - note that using NAT Gateway will incur extra charges.

Adding inbound rules to your instances isn't required because it is the instance that is connecting outbound to the services.

As an alternative (and I know you've mentioned not using VPC endpoints but go with me):

  • Create a DynamoDB Gateway Endpoint - this means your application can access DynamoDB without either of the two items above; it has no extra cost; and doesn't require any application changes. No disadvantages, really.
  • SNS is a slightly different story - it's a different endpoint type (Interface Endpoint). This does have a cost associated with it and you must change your application so that it calls the endpoint using the DNS name that is given to you when you create the endpoint.

Which one to do? If your application is calling more than just SNS (i.e. it's using other public APIs - AWS or not) then NAT Gateway is the way to go. If you're only calling SNS then the Interface Endpoint is preferable.

Using the DynamoDB endpoint is an easy decision - I would definitely do that even if you're going to use NAT Gateway because it reduces your NAT Gateway charges by sending the DynamoDB traffic directly to the service.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago
  • cloud9
    a year ago

    Hi Brettski,

    Thanks a lot for your detailed answer, I really appreciate and I learn something new from your post: SNS is an "interface Endpoint". I will give it a try with the VPC Endpoint solution.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content