There are two possible reasons.
- Private DNS name is not enable for this endpoint.
- The endpoint doesn't have an interface in the subnet where the EC2 instance is running.
Verify that private DNS is enabled for your endpoint.
$ aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-044a93bEXAMPLE --query 'VpcEndpoints.PrivateDnsEnabled' --region REGION
If the response is not "true", modify the endpoint and enable private DNS names. If it is already enabled, make sure that the endpoint has an interface in the AZ ( in any subnet in that AZ) where you your EC2 instance is running.
For example, if your EC2 instance is in eu-central-1a, make sure that the endpoint has an interface in one of the subnets in eu-central-1a.
Thank you for the suggestions.
Private DNS is enabled, so that is not the issue.
As far as I know the endpoint doesn't need to be in the same subnet or even in the same AZ as the EC2 instance calling the endpoint. At least this works for all the other endpoints like KMS and CloudWatch Logs. I tested it anyway and deployed the Sagemaker runtime endpoint into the same subnet as the EC2 instance and there it works.
Another test I did was deploying the Sagemaker runtime again into my "endpoint subnet" with private dns name disabled and attaching a private hosted zone for the Sagemaker runtime domain pointing to the private IP of the Sagemaker runtime endpoint. This works as well.
Afterwards I removed the private hosted zone and enabled private dns name again and it stopped working.
How do I create a VPC Endpoint for S3 Interface?asked 6 months ago
Private DNS name for S3 VPC endpointasked 7 months ago
Unable to resolve the private dns name of a Sagemaker runtime VPC interface endpointasked a month ago
How to setup interface VPC endpoints in a multi tier architecture?Accepted Answerasked 2 years ago
VPC Interface Endpoints and API Gateway called from LambdasAccepted Answerasked 9 months ago
Specify a subnet for SageMaker endpointsasked 10 months ago
VPC Interface Endpoint Limitation on one subnet per Availability Zone for "Enable Private DNS Name"Accepted Answerasked 5 years ago
Ingress rules for a private subnet NACL with VPC endpoints: Are AWS service CIDR ranges required?Accepted Answerasked 7 months ago
Route tables for Using Amazon Managed Prometheus with interface VPC endpointsasked 23 days ago
Which connection method when using SageMaker Notebook through VPC Interface Endpoint?Accepted AnswerEXPERTasked 4 years ago