Use of VPC times out when downloading source from s3.

Question

Hello Y'all!  
  
I have AWS CodePipeline where the source is from AWS CodeCommit, then it is built using AWS CodeBuild. All my services are under a VPC and that is the only way to reach Redis and Postgresql.   
What CodeBuild is working with is a NodeJS application created using CodeStar. I went ahead and created a couple of new endpoints on my nodeJS application, created the tests with the default test library, committed my changes, and pushed them.  
First, my VPC has a routing table pointing to an Internet Gateway. When I attached the VPC and both my private subnets to the Environment of my CodeBuild Project and click "Validate VPC Settings" I get:

```
The VPC with ID vpc-XYZ might not have an internet connection because the provided subnet with ID subnet-XYZ is public. 
 Provide a private subnet with the 0.0.0.0/0 destination for the target NAT gateway and try again.
```

After seeing this, I go ahead and change the route table to point to a NAT gateway. I go back to Code Build setting and I get the following error:

```
The VPC with ID vpc-XYZ might not have an internet connection. CodeBuild cannot find the 0.0.0.0/0 destination for the target internet gateway with subnet ID subnet-XYZ.
```

This is because AWS is not allowing me to have two similar destinations, in this case, 0.0.0.0/0.  
  
With this problem, I keep getting an error in my CodeBuild details:

```
CLIENT_ERROR: RequestError: send request failed caused by: Get https://aws-codestar-us-west-2-USERid-admin-api-pipe.s3.us-west-2.amazonaws.com/data-admin-api-Pipel/data-admin/mYX264d: dial tcp 52.3.2.1:443: i/o timeout for primary source and source version arn:aws:s3:::aws-codestar-us-west-2-USEID-admin-api-pipe/data-admin-api-Pipel/data-admin/mYX264d
```

What am I doing wrong? Did I mess up my VPC? I can still access my services on my local machine.  
  
Edited by: MrBaxt0rz on Apr 28, 2020 3:26 PM  
  
Edited by: MrBaxt0rz on Apr 28, 2020 3:26 PM

Accepted Answer

Your VPC will need a route to the internet, as the build container uses the same network security group rules as your VPC. You may achieve this by having a NAT Gateway in your public subnet or by running a self-managed proxy with route to the internet through the internet gateway.  
  
https://docs.aws.amazon.com/codebuild/latest/userguide/use-proxy-server.html

Answer

To respond to my problem above:  
I dug deeper on the AWS documents for PCs, NAT Gateways, and CodeBuild. I finally solve my problem mentioned above. I noticed that the NAT Gateway was attached to a private subnet with the availability zone of us-west-2b. I had to delete it and create a new NAT Gateway and attached it to my public subnet with zone us-west-2a. I did the following steps:  
  
1. Delete NAT Gateway attached to a private subnet with zone us-west-2b  
2. Create NAT Gateway and attach it to a public subnet with zone us-west-2a  
3. Modified route table for private subnet with zone us-west-2a by adding destination 0.0.0.0/0 with the new NAT Gateway as a target.  
4. Validate settings successfully  
5. try to access all my services via VPC and my ALB services and all of it is successful.  
  
Well, even though the solution above fixes my problem with VPC settings validation, I noticed several new problems... To start with, when I push changes to my repo from my local machine the CodePipeline is triggered. It moves into the Build Stage, and CodeBuild kicks off great. There are two scenarios I am dealing with now. First, the Phase `DOWNLOAD_SOURCE` is timeout; I increased the timeout time and I still don't get anywhere. Second, if it passes Phase `DOWNLOAD_SOURCES`. Code build starts phase `PRE_BUILD`, code build runs `npm test` and it fails because it could not reach my Redis instance.   
  
Do I need to have a NAT gateway for each public subnet I have?

Use of VPC times out when downloading source from s3.

Relevant content