By using AWS re:Post, you agree to the Terms of Use
All Questions
Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Cannot access Timestream via PrivateLink without explicitly passing endpoint_url

Hi, I am trying to access Timestream from EC2/Lambda instances that run within a VPC so that I can speak to a RDS instance from those EC2 instances/Lambda functions. I have spent many hours trying to get access to Timestream via PrivateLink/a VPC instance endpoint to work and think I may have found an issue. When I provision a VPC endpoint for the Timestream ingest service, the Private DNS name is specific to the cell endpoint, e.g. ** NOT the general endpoint URL that boto3 uses, i.e. **. When I run a nslookup on ** it properly resolves to the private IP of the VPC endpoint ENI, but if I lookup the more general endpoint URL of ** it continues to resolve to public AWS IPs. The result of this is that if I initialize the timestream write client normally and perform any actions, it hangs because it is trying to communicate with a public IP from a private subnet, ``` import boto3 ts = boto3.client('timestream-write') ts.meta.endpoint_url # ts.describe_endpoints() # hangs ts.describe_database(DatabaseName='dbName') # hangs ``` If I explicitly give it the cell specific endpoint URL, the describe_endpoints() function throws an error but seemingly normal functions work (haven't tested writes or reads yet, just describing databses) ``` import boto3 ts = boto3.client('timestream-write', endpoint_url='') ts.describe_endpoints() # throws UnknwonOperationException error ts.describe_databse(DatabaseName='dbName') # Succeeds ``` If I provision a NAT gateway in the private subnet rather than a VPC endpoint everything works normally as expected. Furthermore for fun, I tried adding the VPC endpoint private IP to the /etc/hosts file with ** to force proper resolution and even then I get the same hanging behavior when running the above block of code This seems pretty broken to me. The whole point of the VPC endpoint is to enable the SDK to operate normally. Maybe I am missing something?
asked 19 hours ago