Questions tagged with AWS PrivateLink
Content language: English
Sort by most recent
What's the recommended way to use PrivateLink with a PaaS backend which only provides FQDNs?
I would like to create a connection between a lot of AWS Lambda services and AWS ElastiCache (EC) service using the PrivateLink (PL) approach. We are working in multi-account environment and EC consumers are isolated into a lot of accounts. According to the AWS documentation each VPC requires at least one VPC Interface Endpoint at service consumer side and VPC Endpoint Service at service provider side. Also according to the documentation this could only be done using private facing ELB, which Target Group expects the IPs or instances IDs as targets and not the FQDNs that are provided by AWS EC (write and read FQDNs). The question is -- what is the recommended way to create a multi-account connectivity using the PL within such environment? NOTE: I've already saw several posts like https://aws.amazon.com/blogs/networking-and-content-delivery/hostname-as-target-for-network-load-balancers/ and don't like an idea of some additional moving part responsible for TargetGroup update. Is that the only solution?
Using PrivateLink NLB to ALB Port Redirection
According to the [blog post](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/), you will be able to configure single ALB as a target in NLB. So what will be the required design if the target ALB has port redirection scenario like 80 to 443?
S3 Interface Endpoint
Right now there are two types of VPC Endpoint for S3, the Gateway and Interface Endpoints. Regarding the Interface endpoints, there are two kinds of endpoints, global (com.amazonaws.s3-global.accesspoint) and regional (com.amazonaws.us-east-1.s3). Here are my questions: 1. What are the differences between the two? 2. In what particular scenario(s) can we use those endpoints? 3. And when accessing the S3 interface endpoints via java SDK, there are also two kinds of endpoints, "accesspoint.vpce......vpce.amazonaws.com" and "bucket.vpce......vpce.amazonaws.com", which should I use to access a bucket and download the objects keys of that bucket? 4. And what are the differences between the two, "accesspoint.vpce..." and "bucket.vpce...." Thanks in advance,
Do we need VPC Endpoints for SNS and SQS if data not originating from any VPC and directly landing in SNS from external source
I am working on a data push mechanism wherein im trying to push data to SNS externally (outside aws boundary). Then its been pushed to SQS from SNS then using trigger it comes to Lambda function where we process it and push it finally into DynamoDB table. Now i have been asked to use VPC Endpoints where ever possible. Getting little bit confused whether we need any VPC Endpoint in this scenario. Because neither SNS nor SQS is within any VPC then how come SNS or SQS endpoints going to be useful here. Please suggest whether we need endpoints here for SNS, SQS, Lambda and dynamo db. I know Lambda does uses micro ec2 instance for each of its worker. please suggest for this as well. Thanks in advance.
How to access OpenSearch from few different VPCs?
I have an OpenSearch cluster in VPC A, I need applications deployed in VPC B and VPC C to access OpenSearch in VPC A. The problem is that VPC B and VPC C have the same IP range (even the subnets have the same range and I can't change it), so I cannot do a vpc peering or use transit gateway. A solution would be to put an Nginx proxy in VPC A and then via VPC endpoints allows applications in VPC B and VPC C to access Nginx, but I'd like to avoid to need to support the Nginx proxy. Any other solution?
Ingress rules for a private subnet NACL with VPC endpoints: Are AWS service CIDR ranges required?
I have an API running on ECS Fargate behind an ALB. It's accessing data in DynamoDB. ECS is in a private subnet, ALB in a public subnet. I have VPC endpoints set up for all related services. Until today, whenever I would try to apply a NACL to the private subnet, I would lose access to the API. I tried all manner of ingress/egress rules to no avail; I could only get it to work by disabling the NACL (or just opening it up to all addresses/ports). The docs are kind of cryptic about NACLs and endpoints. I finally found a line somewhere that prompted me to look for service IP ranges which led me to [this document](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications) re: public IP ranges. I added the Dynamo ranges for my region to the private subnet NACL and voila, it works. But **why** does this work? These IPs I added to the NACL are public, but this is a subnet with no route to the public internet. The way I understood it, endpoints are assigned ENIs/private IPs from your subnet, so I'm having trouble understanding why ingress using the local CIDR wouldn't be enough.
DNS Query from ec2 instance not hitting Palo alto firewall
We are facing an issue in our setup. We are unable to see the DNS query traffic in Palo alto firewall, But we can see the response to dns query from dns server to the host machine. We had a support call with palo alto, but we could not find anything abnormal in firewall. Below is the traffic flow and diagram. DNS Traffic : Query from host > Spoke vpc TGW eni > TGW > Transit vpc tgw eni > via local route to route 53 resolver endpoint > default route to GWLB endpoint > firewall > GWLB endpoint > TGW > Spoke VPC tgw eni > Host I need some pointers here.... please provide your inputs
VPC Peering not working as expected
Hi, I have created a VPC peering connection between 2 VPCs within the same region. Both VPCs have 1 public subnet each. I configured the required routes for both VPCs that should go through peering connection however I can't ping the EC2 instances in each VPC public subnet. I tried another VPC setup, 2 VPC (VPC A and VPC B) with 1 public and 1 private subnet in each VPC, and then created a peering connection. Further added required routes. In this setup, I can ping successfully as below: Public instance (VPC A) to Private Instance (VPC B) Private instance (VPC A) to Private Instance (VPC B) Public instance (VPC B) to Private Instance (VPC A) Private instance (VPC B) to Private Instance (VPC A) The following pings don't work: Public instance (VPC A) to Public Instance (VPC B) Private instance (VPC A) to Public instance (VPC B) Public instance (VPC B) to Public Instance (VPC A) Private instance (VPC B) to Public instance (VPC A) Can someone have a look and confirm if this is as expected or there is some additional configuration required? I tried all possible configs and even tried to analyze through Network Analyzer but didn't get any solution to make this work. Any suggestion or guidance would be appreciated.
How do you connect to a VPC Endpoint when your in a different AZ?
I have a ALB in one account (A) that I want to make available to VPCs in another account (B). I created an NLB and an VPC Endpoint in (A) and advertised it to (B). The problem is that all the VPCs in (B) that I want to share it with are in "use1-az6" and account (A) doesn't have that AZ. I've heard some talk of creating a proxy in (A) to work around things like this but I'm not sure how to do that. Is the proxy an AWS thing? Or is it just a plain EC2 instance that I install HAProxy (or something) on?
Data routing to VPC Endpoint from different AZ
I have 3 subnets in 3 different AZ. I have VPC endpoint connected to our partner's VPC Endpoint Service. This endpoint connected to each of 3 subnets. To send data to the endpoint I'm using general DNS name which resolves in 3 Internal IP addresses. In the meanwhile, I've spotted big amount of paid Cross-AZ traffic. From flow logs it is clear that it is traffic from my instances (or fargate tasks) to this VPC Endpoint. My question is: **Is it possible to force using VPC Endpoint ENI from the same AZ as origin? ** Or the only way is to use different DNS names in different AZ?
Route53 record(s) to centralize VPC interface endpoints across multiple VPCs/regions
Hi, we tried to follow both articles: \[1\] https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/ \[2\] https://aws.amazon.com/blogs/architecture/using-vpc-endpoints-in-multi-region-architectures-with-route-53-resolver/ to create an organization-wide centralized access to some (S3, Api-Gateway, SSM) AWS services using VPC interface endpoints but it's not clear what record(s) I need to insert into Route53 PHZs. Adding only a domain root **alias** record (named like the zone) pointing to the VPC Endpoint as described in \[1\], doesn't work for me, applications trying to resolve resources names like: - m01olkffr5.execute-api.eu-central-1.amazonaws.com - mybucket.s3.eu.-central-1.amazonaws.com fail with "unknown host". Should I use a wildcard (*) record? Thanks in advance