AWS SES - VPC Endpoint - does not send emails from private subnet

Question

I have got the spring boot app running on ec2 instance in a private subnet where no internet connection is established. I want to send emails from this app so I decided to use VPC endpoint connected to AWS SES.

Here are the inbound rules of security group of this vpc endpoint.

![Enter image description here](/media/postImages/original/IMtz4rNs3BREG13mRL2_am5A)

Source column is private ip of my ec2 instance

When I invoke the telnet command: 
```
telnet email-smtp.eu-central-1.amazonaws.com 587
```

I got the response:
```
 Connected to email-smtp.eu-central-1.amazonaws.com.
```

So connection is established I guess. However, when I try to send emails from my application - the exception is thrown

```

amazon.awssdk.core.exception.SdkClientException:  Unable to execute HTTP request: Connect to email.eu-central-1.amazonaws.com:443  [email.eu-central-1.amazonaws.com/,  email.eu-central-1.amazonaws.com/, email.eu-central-1.amazonaws.com/,  email.eu-central-1.amazonaws.com/,  email.eu-central-1.amazonaws.com/,  email.eu-central-1.amazonaws.com/] failed:  Connect timed out
```

the method I use to send emails

```
fun sendEmail() {
        val url = "url"

val destination = Destination.builder().toAddresses("email@domain.pl").build()
        val subject = Content.builder().data("Subject").build()
        val sesBody = Body.builder().text(Content.builder().data(data(url)).build()).build()
        val msg = Message.builder().subject(subject).body(sesBody).build()

sesClient.sendEmail(
            SendEmailRequest.builder()
                .destination(destination)
                .message(msg)
                .source("email2@domain.pl")
                .build()
        )
    }
```

and the sesClient config
```
    @Bean
    fun sesClient(): SesClient {
        val basicAWSCredentials = AwsBasicCredentials.create(sesAccessKey, sesSecretKey)
        val credentialsProvider = StaticCredentialsProvider.create(basicAWSCredentials)

return SesClient
            .builder()
            .credentialsProvider(credentialsProvider)
            .region(Region.EU_CENTRAL_1)
            .build()
    }
```

Answer

Okay, I solved the problem. I stopped using aws ses sdk, because it tries to connect through HTTPS, while I need to connect through SMTP on 587 port. So here is my final configuration

```
spring:
  mail:
    host: email-smtp.eu-central-1.amazonaws.com
    username: ${AWS_SES_USERNAME}
    password: ${AWS_SES_PASSWORD}
    port: 587
    protocol: smtp
    properties:
      mail.smtp.auth: true
      mail.smtp.starttls.enable: true
      mail.smtp.starttls.required: true
      mail.smtp.ssl.trust: email-smtp.eu-central-1.amazonaws.com
    test-connection: false
```

To generate `AWS_SES_USERNAME` and `AWS_SES_PASSWORD` you need to sign in into aws console, go to `Amazon SES` -> `SMTP Settings` -> `Create my SMTP credentials`

Answer

Your test (using telnet) is connecting to the SMTP port on the SES mail server; but your code is trying to call the SES endpoint (which is HTTPS and uses port 443) so those are two different things. The error message you're getting is telling you that too.

Also, your test is to `email-smtp.eu-central-1.amazonaws.com` but the code is connecting to `email.eu-central-1.amazonaws.com`.

Check to see that your instance is able to connect to `email.eu-central-1.amazonaws.com` on port 443.

Answer

make sure you have allowed port 25, 465, 587 & 443 depending on what you are using to talk to SES.
Also did you test the telnet from your application server?

you can check below links for more details.

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-set-up-vpc-endpoints.html
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

Answer

I'm having the same problem, but in my case I can't stop using the AWS SDK because I depend on it for credentials, what can I do in this case?

AWS SES - VPC Endpoint - does not send emails from private subnet

Relevant content