Cannot access Timestream via PrivateLink without explicitly passing endpoint_url

Hi,

I am trying to access Timestream from EC2/Lambda instances that run within a VPC so that I can speak to a RDS instance from those EC2 instances/Lambda functions. I have spent many hours trying to get access to Timestream via PrivateLink/a VPC instance endpoint to work and think I may have found an issue. When I provision a VPC endpoint for the Timestream ingest service, the Private DNS name is specific to the cell endpoint, e.g. ingest-cell2.timestream.us-east-1.amazonaws.com NOT the general endpoint URL that boto3 uses, i.e. ingest.timestream.us-east-1.com. When I run a nslookup on ingest-cell2.timestream.us-east-1.amazonaws.com it properly resolves to the private IP of the VPC endpoint ENI, but if I lookup the more general endpoint URL of ingest.timestream.us-east-1.com it continues to resolve to public AWS IPs. The result of this is that if I initialize the timestream write client normally and perform any actions, it hangs because it is trying to communicate with a public IP from a private subnet,

import boto3
ts = boto3.client('timestream-write')
ts.meta.endpoint_url # https://ingest.timestream.us-east-1.amazonaws.com
ts.describe_endpoints() # hangs
ts.describe_database(DatabaseName='dbName') # hangs

If I explicitly give it the cell specific endpoint URL, the describe_endpoints() function throws an error but seemingly normal functions work (haven't tested writes or reads yet, just describing databses)

import boto3
ts = boto3.client('timestream-write', endpoint_url='https://ingest-cell2.timestream.us-east-1.amazonaws.com')
ts.describe_endpoints() # throws UnknwonOperationException error
ts.describe_databse(DatabaseName='dbName') # Succeeds

If I provision a NAT gateway in the private subnet rather than a VPC endpoint everything works normally as expected. Furthermore for fun, I tried adding the VPC endpoint private IP to the /etc/hosts file with ingest.timestream.us-east-1.com to force proper resolution and even then I get the same hanging behavior when running the above block of code

This seems pretty broken to me. The whole point of the VPC endpoint is to enable the SDK to operate normally. Maybe I am missing something?

Topics

Networking & Content Delivery Database

Relevant content

Issues connecting to Postgres RDS instance from within a VPC
devanroberts
asked 5 years ago
Access Timestream table data from Redshift
cgddrd
asked 7 months ago
Managed Grafana accessing Timestream data source
zzTSH
asked 10 months ago
Timestream Query running from Lambda
AWS-User-SOS
asked 2 years ago
How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?
AWS OFFICIALUpdated 5 months ago
How can I connect to an Amazon RDS DB instance from an Amazon SageMaker notebook instance that's in a different VPC?
AWS OFFICIALUpdated a year ago
How can I move an Amazon RDS DB instance from a public subnet to a private subnet within the same VPC?
AWS OFFICIALUpdated 6 months ago
How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?
AWS OFFICIALUpdated a year ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published 6 months ago
Why can't I connect to a peered VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
EXPERT
Karthikiran Ilango
published 10 months ago