By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Code Deploy and Pipeline for Private EC2 Auto Scale in VPC

1

My VPC consists of ALB on public subnet, and Auto Scale Group of EC2 on private subnet, and a DB on private subnet too.

I want to use code deploy and pipeline, and system manager for parameter store, and state manager for code deploy agent package schedule install.

Now my code deploy and pipeline fails. I guess I need to enable VPC endpoints, but it gives me a hard time what exact endpoints I need. And a complaint about so many endpoints with pricing…

So here’s what i researched so far, please correct me for the following list.

Code Deploy, 2 VPC endpoints, one for api and agent Code Pipeline, 1 VPC endpoints, just code pipeline SSM, 3 VPC endpoints, ssm, sam messages, ec2 messages S3 Gateway is needed, since I saw Code Deploy use for revision Is there any other endpoints I need for auto scaled ec2 group in private subnet in VPC?

Topics
Developer ToolsNetworking & Content DeliveryManagement & Governance
Tags
AWS CodePipelineAmazon VPCAWS CodeDeployAWS Auto ScalingParameter Store
Language
English
oodaniel00
asked 6 months ago391 views
1 Answer
1

Hello.

If your EC2 is in a private subnet, the following VPC endpoints are required for communication with CodeDeploy.
https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html

com.amazonaws.region.codedeploy
com.amazonaws.region.codedeploy-commands-secure

Also, ":enable_auth_policy:" must be set to "true" in the CodeDeploy Agent settings.
https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-agent-configuration.html
https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html#vpc-codedeploy-agent-configuration

To use Amazon VPC endpoints with CodeDeploy, you must set the value of :enable_auth_policy: to true in the agent configuration file located on your EC2 or on-premises instances. For more information on the agent configuration file, see CodeDeploy agent configuration reference.

When installing CodeDeploy Agent with Systems Manager, the following VPC endpoints are required.
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html

ssm.region.amazonaws.com
ssmmessages.region.amazonaws.com
ec2messages.region.amazonaws.com

Since you should be accessing S3, try setting up a gateway VPC endpoint for S3.
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

I think it would be easier to set up a NAT Gateway than using so many VPC endpoints.
Use VPC endpoints if you don't want to send communication outside of AWS.
If there are no special communication requirements, I think one method is to use a NAT Gateway.

profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
  • oodaniel00
    6 months ago

    Thank you, the issue about the NAT is the cost which is 0.45 per hour and 0.45 per g, VPC endpoints is 0.01 per hour, and 0.01 per g. And I think you missed code pipeline i mentioned above. So i don’t need that right, and could you help me take a close look and is there anything else what i’m missing, since i’m also using ec2 template, auto scaling group and app load balancer. Thank you. Just want to make sure that’s everything i need to set up for, and i will compare combined endpoint price with a nat

  • Riku_Kobayashi EXPERT
    6 months ago

    Basically, there should be no problem as long as EC2 can communicate with CodeDeploy and S3, so I don't think CodePipeline's VPC endpoint is necessary.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content