By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Data routing to VPC Endpoint from different AZ

1

I have 3 subnets in 3 different AZ. I have VPC endpoint connected to our partner's VPC Endpoint Service. This endpoint connected to each of 3 subnets.

To send data to the endpoint I'm using general DNS name which resolves in 3 Internal IP addresses.

In the meanwhile, I've spotted big amount of paid Cross-AZ traffic. From flow logs it is clear that it is traffic from my instances (or fargate tasks) to this VPC Endpoint.

My question is: **Is it possible to force using VPC Endpoint ENI from the same AZ as origin? ** Or the only way is to use different DNS names in different AZ?

Topics
Networking & Content DeliveryServerlessContainers
Tags
Amazon VPCAWS FargateNetworking & Content DeliveryAWS PrivateLink
Language
English
profile picture
Smotrov
asked 2 years ago2904 views
2 Answers
7

Yes, you can choose which endpoint to use but (as you say) it is up to the DNS entry that you use. Your client machine (EC2 instance or on premises) will resolve multiple IPs if given the "generic" endpoint name; or a single IP if given the AZ-specific name. Note that using an AZ-specific name isn't desirable if there is some failure within that AZ that is causing the endpoint not to respond.

For those reading along, you can find the names for your endpoints in the console or by running aws ec2 describe-vpc-endpoints - you'll see the endpoint DNS name (something like vpce-xxxxxxxx.ec2.region.vpce.amazonaws.com) and you'll also so the AZ-specific names (such as vpce-xxxxxxxx-region-1a.ec2.region.vpce.amazonaws.com).

profile pictureAWS
EXPERT
Brettski-AWS
answered 2 years ago
  • Smotrov
    2 years ago

    Tank you for your response! The benefit of cross-zone routing are clear. However, in our case 50-100TB/month it generates pretty significant cost for Cross-AZ traffic. Single AZ or isolated AZ does not have this costs at all.

0

If you prefer not to change the DNS, you can also mange it with specific routes per subnet to point to ENI/IP in the RoutingTable(s), but as suggested here before, if something happen to the endpoint, your AZ is down (at least what's dependent on that route). Also, regardless, make sure you validate with your partner what's the AZ ID (not its name - as those are random per account)

AWS
AWS-ProServe
answered 2 years ago
  • Smotrov
    2 years ago

    Interesting idea with routing table... How does this routing table record could look like?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content