By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Interface endpoints for S3 connection timeout

1

I'm at my wits end with this. I have an interface endpoint for S3. The S3 service is under a different AWS account to the account in which I have a VPC which has the endpoint configured.

The DNS of the endpoint resolves to the correct IP address. I have verified that the security group associated with the endpoint allows 443, both inbound and outbound. I have verified NACL of the subnets as well.

I still cannot use the endpoint url. It times out when I specify endpoint url in aws cli commands to s3. Any help I can get on this is much appreciated. Thanks in advance.

  • RB
    5 months ago

    Turns out that this is a DNS issue. I do not have DNS Hostnames enabled on my VPC and the endpoint. I have private DNS configured through a DHCP option set. It looks like my private DNS is unable to resolve AWS provided regional endpoint FQDN. It also doesn't route the request to the internet for resolution. I will need to find a fix to route this request to the VPC's DNS so the endpoint FQDN can be resolved.

Topics
Networking & Content Delivery
Tags
Amazon VPCSecurity Group
Language
English
RB
asked 6 months ago470 views
4 Answers
1

Thanks for looking into this. I have checked and the ACLs have a 100 rule allowing all comms, so I am assuming there's no issue there. The endpoint is within vpc1 in account1 and the s3 service is provisioned under account2. S3 in account2 is not within a VPC so I did not check if there is VPC peering.

Also, there is no specific route configured. My understanding is that a VPC interface endpoint will have an IP address within the CIDR range of the subnet and hence doesn't need a route? Please advise if I am mistaken.

It is an interface endpoint that I have configured with the intent to have it used by an on-premise application. I am testing the endpoint at the moment through AWS Cloudshell from account1. I also have a Lambda function configured in account1 and I am facing the same issue with the lambda function as well.

When I do a nslookup to the vpc interface endpoint, it resolves to the correct IP addresses. When I do t a telnet on 443, however, it just times out. Thanks

RB
answered 5 months ago
  • mwhf
    2 months ago

    Hi, I'm facing a similar issue. Did you ever resolve yours?

1

I assume you have VPC peering configured along with correct routes in each route table associated with said subnets? No ACLs in place to prevent communication? Where are you running the CLi from also?

profile picture
EXPERT
Gary Mclean
answered 6 months ago
1

If you have it in another VPC then you will need peering or transit gateway setting up. You’ll also need routes to the other CIDR range.

If there’s no connection between VPCs you’ll never be able to connect to the endpoint.

Lambda by design has access to the internet and s3 without setting up any endpoints. This changes if your lambda is attached to a vpc.

profile picture
EXPERT
Gary Mclean
answered 5 months ago
0

You are correct that an Interface Endpoint gets an IP (ENI) from your subnet.

Did you create a security group (or edit an existing one) to allow the resources in your VPC to communicate with the endpoint network interfaces for the VPC endpoint?

If your resources are in a subnet with a network ACL, verify that the network ACL allows traffic between the endpoint network interfaces and the resources in the VPC.

Did this help you resolve the issue?

AWS
AWS-user-Randy
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content