Can not access SQS via VPC SQS endpoint

0

Hi,
I am struggling with connecting to SQS via endpoint in VPC.

I can read messages from SQS from my EC2 instance that is connected to internet. Now I would like to access SQS without round trip to internet using SQS VPC endpoint.

When I create an VPC endpoint for SQS service, assign it to the same VPC and subnet my ec2 instance is in, I can no longer read SQS messages from that instance. I have also enabled Private DNS name when creating endpoint.

Request for reading a message gets timeout error:
Connect timeout on endpoint URL: "https://eu-central-1.queue.amazonaws.com/"

Any hints what might be wrong?

Edited by: rslak on Mar 7, 2019 5:02 AM

rslak
asked 4 years ago530 views
3 Answers
0

Hi rslak,

Looks like you are using the legacy endpoint format and it is not supported in SQS VPC endpoint. Give https://sqs.eu-central-1.amazonaws.com a try. (detailed endpoint information per region can be found here: https://docs.aws.amazon.com/general/latest/gr/rande.html#sqs_region)

It is also possible that you have restricted traffic and access in the security group assigned to your VPC endpoint. I would recommend you to follow our tutorial: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html, setup a functional example, and then compare and constrast the differences.

Hope this helps,
Jackie

answered 4 years ago
0

Thanks for suggestions.
I have tried with provided endpoint but without luck. I still get the same error, although I have changed the endpoint name:

$ aws sqs receive-message --queue-url "https://sqs.eu-central-1.amazonaws.com/<my_queue_name>" --max-number-of-messages 1
Connect timeout on endpoint URL: "https://eu-central-1.queue.amazonaws.com/"

I am using default VPC security group with everything open.

I will try with CloudFormation example.

rslak
answered 4 years ago
0

I have identified the problem.
It was security group. I have to to set up separate group where all traffic destination/source has range of internal subnet and not just everything.

rslak
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions