- Newest
- Most votes
- Most comments
The issue you're experiencing with the VPC endpoint network interfaces not being fully available immediately after creation is a common challenge when working with AWS CDK and VPC endpoints. This is because the creation of network interfaces for VPC endpoints is an asynchronous process that may not complete by the time the CDK construct returns.
To address this problem and obtain all the network interface IDs for your VPC endpoint, you can use a custom resource approach similar to what you've already shown, but with a slight modification to ensure you get all the interfaces. Here's an improved approach:
- Create the VPC endpoint as you're currently doing.
- Use a custom resource to describe the VPC endpoint itself, rather than the network interfaces directly.
- Extract the network interface IDs from the VPC endpoint description.
- Use another custom resource to describe these network interfaces and get their private IP addresses.
Here's how you could implement this:
const vpce = vpc.addInterfaceEndpoint('s3-vpce', { service: InterfaceVpcEndpointAwsService.S3, subnets: { subnetType: SubnetType.PRIVATE_WITH_EGRESS }, open: false, securityGroups: [vpceSg], }); // Custom resource to describe the VPC endpoint const describeVpce = new AwsCustomResource(this, 'DescribeVpce', { onCreate: { service: 'EC2', action: 'describeVpcEndpoints', parameters: { VpcEndpointIds: [vpce.vpcEndpointId] }, physicalResourceId: PhysicalResourceId.of(Date.now().toString()) }, policy: AwsCustomResourcePolicy.fromSdkCalls({resources: AwsCustomResourcePolicy.ANY_RESOURCE}) }); // Extract network interface IDs const networkInterfaceIds = describeVpce.getResponseField('VpcEndpoints.0.NetworkInterfaceIds'); // Custom resource to describe network interfaces const describeNetworkInterfaces = new AwsCustomResource(this, 'DescribeNetworkInterfaces', { onCreate: { service: 'EC2', action: 'describeNetworkInterfaces', parameters: { NetworkInterfaceIds: networkInterfaceIds }, physicalResourceId: PhysicalResourceId.of(Date.now().toString()) }, policy: AwsCustomResourcePolicy.fromSdkCalls({resources: AwsCustomResourcePolicy.ANY_RESOURCE}) }); // Extract private IP addresses const privateIpAddresses = describeNetworkInterfaces.getResponseField('NetworkInterfaces[*].PrivateIpAddress'); // Now you can use privateIpAddresses for your ALB target group
This approach ensures that you get all the network interfaces associated with the VPC endpoint, even if they're not immediately available when the endpoint is first created. The custom resources will wait for the VPC endpoint to be fully provisioned before attempting to describe its network interfaces.
Regarding your questions about InterfaceVpcEndpoint.fromInterfaceVpcEndpointAttributes()
:
- The
port
parameter is indeed not applicable for S3 VPC endpoints, as S3 doesn't use a specific port for VPC endpoint connections. - You're correct that
IInterfaceVpcEndpoint
doesn't includevpcEndpointNetworkInterfaceIds
. This interface is designed to be a minimal representation of a VPC endpoint, suitable for referencing existing endpoints but not for detailed management.
The custom resource approach outlined above should provide you with the necessary information to create your ALB target group with all the VPC endpoint's network interface IP addresses.
Sources
interface VpcConfigProperty · AWS CDK
interface VpcOptionsProperty · AWS CDK
interface VpcConfigProperty · AWS CDK
interface EndpointDetailsProperty · AWS CDK
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 3 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
On the face of it this the answer looks very compelling. However I think there is one core issue which i'm not sure we can work around with the current approach.
AwsCustomResource.getResponseField
only works on primatives and I think can only return one value at a time. So in your example where you havedescribeVpce.getResponseField('VpcEndpoints.0.NetworkInterfaceIds')
anddescribeNetworkInterfaces.getResponseField('NetworkInterfaces[*].PrivateIpAddress')
these statements do not work since those keys don't exist in the custom resource response.The only way to get it work was to know ahead of time how many
NetworkInterfaceIds
to expect, e.g. 3, and iterate over them, and likewise then for the PrivateIpAddresses, i.e.,