DNS Resolution with Private Hosted Zone

0

I am trying to use boto3 to connect to an S3 bucket from a container that is hosted on an EC2 instance within ECS. All of this is hosted on AWS GovCloud, which only allows private hosted zones in route53. Instead I have set up GoDaddy DNS to resolve my elastic load balancer URI and to manage the Amazon Certificate for https connections to the application.

When I try to run the command python manage.py collectstatic --no-input which should upload/update any new/modified files to S3 as part of the application set up the connection times out.

According to this article

If you're using the Amazon DNS servers, you must enable both DNS hostnames and DNS resolution for your VPC. If you're using your own DNS server, ensure that requests to Amazon S3 resolve correctly to the IP addresses maintained by AWS.

How do I go about setting up a private hosted zone to manage resolution of the S3 connection since I am using by own DNS server?

jrita
asked 2 years ago782 views
2 Answers
0
Accepted Answer

The issue was within how boto3 handles different aws regions. This may be unique to usage on AWS GovCloud. Originally I did not have a region configured for S3, but according to the docs an optional environment variable named AWS_S3_REGION_NAME can be set.

AWS_S3_REGION_NAME (optional: default is None) Name of the AWS S3 region to use (eg. eu-west-1)

I reached this conclusion thanks to a stackoverflow answer I was using to try to manually connect to s3 via boto3. I noticed that they included an argument for region_name when creating the session, which alerted me to make sure I had appropriately set the region in my app.settings and environment variables.

If anyone has some background on why this needs to be set for GovCloud functionality but apparently not for commercial, I would be interested to know.

More details can be found in my related question.

jrita
answered 2 years ago
0

What I'm understanding here is that you're concerned that use of GoDaddy DNS has affected your application's access to S3. It shouldn't because all you need for your application to reach the S3 service is either outbound internet access from the VPC or an S3 VPC endpoint - it would be best to make sure this is working ok. Unless you're deploying your own DNS Servers in the VPC to handle DNS resolution within the VPC (not the internet as GoDaddy is doing) then you're using the Amazon DNS servers for resolving an S3 domain name when you access S3.

An S3 VPC endpoint can be a Gateway or Interface one. You mentioned a PHZ - if you did use an Interface endpoint by default it sets up an AWS-Managed PHZ to override the S3 domain name resolution, resolving it to the endpoint's private IP address instead, but you can choose to self-manage this instead (not normally required unless you're sharing VPC endpoints across accounts - see https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman). But usually unless you need to access S3 from on-prem you would just use a Gateway endpoint as there's no cost.

EXPERT
answered 2 years ago
  • Thank you for the information on how Amazon handles intra-VPC DNS resolution. I already have a VPC Gateway endpoint set up for S3 with a security group attached allowing http:80 and https:443 from another security group that is attached to my EC2-ECS cluster. Despite this I still cannot connect to S3 from the container; however, I can connect to the S3 bucket if I ssh into the EC2 instance running the containers and use the aws cli (tested by running `aws s3 ls s://BUCKET_NAME.s3.amazonaws.com').

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions