- Newest
- Most votes
- Most comments
Hello Sherri,
There are some things to be aware of when creating interface VCP endpoints, that I will list below, but I imagine you probably missed the error message "Error: ... endpoint service com.amazonaws... does not support the Availability Zone (AZ) for the subnet: subnet-abc." This occurs when an Availability Zone isn't activated for the network load balancer in the provider VPC.
Here are the things to be aware of that will help prevent this from happening as well as other issues:
1/ When the customer creates and retrieves endpoints services information, they can see only the AZs that are in common with the service provider.
2/ The AZ Id is unique and consistent for an AZ across all accounts
3/ AZ mapping might be different between AWS accounts. For example in your provider account us-east-1a might be mapped to us-east-1c in your customer account. More on this mapping can be found here. (https://docs.aws.amazon.com/ram/latest/userguide/working-with-az-ids.html)
4/ AWS allows you to identify the actual locations of your resources relative to your accounts with the AZ ID.
5/ You can select an AZ only when it corresponds to an active AZ on the network load balancer in the provider account
Note - you can view the AZ IDs for the current AWS Region under Your AZ ID on the console.
One other thing that might cause an issue when dealing with Security Groups (SGs) on NLBs is:
- You can control whether PrivateLink traffic is subject to inbound rules. If you enable inbound rules on PrivateLink traffic, the source of the traffic is the private IP address of the client, not the endpoint interface. (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html)
Hope this helps and you can always reach out to your account Solution Architect or open a support ticket if you require further assistance.
You mean they can't retrieve information about your VPC endpoint service, I trust? "Endpoint" is the client side of the PrivateLink connection, and "endpoint service" is the corresponding destination service offering.
For the client accounts to be able to identify your VPC endpoint service, you should add them to the list of allowed principals for the endpoint service (considering that you mentioned this is an internal service, so implicitly not intended to be permitted to the "*" wildcard principal). Without doing that, they won't be able to resolve its service name at all.
If you mean instead that the client account were able to create endpoints on their side for the endpoint service that you are offering but just can't connect to your application, then note that in addition to the security group attached to the endpoint in the client account, network access can also be controlled on the service provider's side by attaching a security group to the NLB associated with the service and by enabling the "enforce inbound rules on PrivateLink traffic" option.
