Creating AWS PrivateLink connections using AWS CloudFormation

0

I'm setting up infrastructure with CloudFormation including a VPC with subnets and an interface VPC endpoint.

The endpoint is meant to be deployed using the subnets created as part of the stack but when I start the deployment I get the following error:

The VPC endpoint service X does not support the availability zone of the subnet: subnet-Y

The endpoint service is deployed in subnets in the following AZs:

  • us-east-1a (use1-az1)
  • us-east-1b (use1-az2)
  • us-east-1c (use1-az4)

And the VPC in which I'm testing the CloudFormation stack have the subnets in the following AZs:

  • us-east-1a (use1-az2)
  • us-east-1b (use1-az4)
  • us-east-1c (use1-az6)

The only matching are use1-az2 and use1-az4.

I would like to know if there's a way to automatically lookup the supported AZs by the service and match them with my subnets' AZs.

The idea is to create 4 different environments with the same setup (VPC subnets, endpoint) so as to avoid hard coding the values.

1 Answer
0
Accepted Answer

You can call DescribeVpcEndpointServices API via custom resource lambda in your CloudFormation, filtering for the specific service and then get the list of availability zones available to that service. You can then use this information in your other resources within the stack. Example output snippet via the AWS CLI:

{
    "ServiceDetails": [
        {
            "ServiceName": "aws.sagemaker.us-east-1.notebook",
            "ServiceId": "vpce-svc-0e123abc123198abc",
            "ServiceType": [
                {
                    "ServiceType": "Interface"
                }
            ],
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d",
                "us-east-1e",
                "us-east-1f"
            ],
            "Owner": "amazon",
            "BaseEndpointDnsNames": [
                "vpce-svc-0e123abc123198abc.us-east-1.vpce.amazonaws.com",
                "notebook.us-east-1.vpce.sagemaker.aws"
            ],
            "PrivateDnsName": "*.notebook.us-east-1.sagemaker.aws",
            "VpcEndpointPolicySupported": true,
            "AcceptanceRequired": false,
            "ManagesVpcEndpoints": false,
            "Tags": [],
            "PrivateDnsNameVerificationState": "verified"
        },
...
}
AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions