Browse through the questions and answers listed below or filter and sort to narrow down your results.
Using PrivateLink NLB to ALB Port Redirection
According to the [blog post](https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/), you will be able to configure single ALB as a target in NLB. So what will be the required design if the target ALB has port redirection scenario like 80 to 443?
S3 Interface Endpoint
Right now there are two types of VPC Endpoint for S3, the Gateway and Interface Endpoints. Regarding the Interface endpoints, there are two kinds of endpoints, global (com.amazonaws.s3-global.accesspoint) and regional (com.amazonaws.us-east-1.s3). Here are my questions: 1. What are the differences between the two? 2. In what particular scenario(s) can we use those endpoints? 3. And when accessing the S3 interface endpoints via java SDK, there are also two kinds of endpoints, "accesspoint.vpce......vpce.amazonaws.com" and "bucket.vpce......vpce.amazonaws.com", which should I use to access a bucket and download the objects keys of that bucket? 4. And what are the differences between the two, "accesspoint.vpce..." and "bucket.vpce...." Thanks in advance,
Do we need VPC Endpoints for SNS and SQS if data not originating from any VPC and directly landing in SNS from external source
I am working on a data push mechanism wherein im trying to push data to SNS externally (outside aws boundary). Then its been pushed to SQS from SNS then using trigger it comes to Lambda function where we process it and push it finally into DynamoDB table. Now i have been asked to use VPC Endpoints where ever possible. Getting little bit confused whether we need any VPC Endpoint in this scenario. Because neither SNS nor SQS is within any VPC then how come SNS or SQS endpoints going to be useful here. Please suggest whether we need endpoints here for SNS, SQS, Lambda and dynamo db. I know Lambda does uses micro ec2 instance for each of its worker. please suggest for this as well. Thanks in advance.
How to access OpenSearch from few different VPCs?
I have an OpenSearch cluster in VPC A, I need applications deployed in VPC B and VPC C to access OpenSearch in VPC A. The problem is that VPC B and VPC C have the same IP range (even the subnets have the same range and I can't change it), so I cannot do a vpc peering or use transit gateway. A solution would be to put an Nginx proxy in VPC A and then via VPC endpoints allows applications in VPC B and VPC C to access Nginx, but I'd like to avoid to need to support the Nginx proxy. Any other solution?
Ingress rules for a private subnet NACL with VPC endpoints: Are AWS service CIDR ranges required?
I have an API running on ECS Fargate behind an ALB. It's accessing data in DynamoDB. ECS is in a private subnet, ALB in a public subnet. I have VPC endpoints set up for all related services. Until today, whenever I would try to apply a NACL to the private subnet, I would lose access to the API. I tried all manner of ingress/egress rules to no avail; I could only get it to work by disabling the NACL (or just opening it up to all addresses/ports). The docs are kind of cryptic about NACLs and endpoints. I finally found a line somewhere that prompted me to look for service IP ranges which led me to [this document](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications) re: public IP ranges. I added the Dynamo ranges for my region to the private subnet NACL and voila, it works. But **why** does this work? These IPs I added to the NACL are public, but this is a subnet with no route to the public internet. The way I understood it, endpoints are assigned ENIs/private IPs from your subnet, so I'm having trouble understanding why ingress using the local CIDR wouldn't be enough.
DNS Query from ec2 instance not hitting Palo alto firewall
We are facing an issue in our setup. We are unable to see the DNS query traffic in Palo alto firewall, But we can see the response to dns query from dns server to the host machine. We had a support call with palo alto, but we could not find anything abnormal in firewall. Below is the traffic flow and diagram. DNS Traffic : Query from host > Spoke vpc TGW eni > TGW > Transit vpc tgw eni > via local route to route 53 resolver endpoint > default route to GWLB endpoint > firewall > GWLB endpoint > TGW > Spoke VPC tgw eni > Host I need some pointers here.... please provide your inputs
VPC Peering not working as expected
Hi, I have created a VPC peering connection between 2 VPCs within the same region. Both VPCs have 1 public subnet each. I configured the required routes for both VPCs that should go through peering connection however I can't ping the EC2 instances in each VPC public subnet. I tried another VPC setup, 2 VPC (VPC A and VPC B) with 1 public and 1 private subnet in each VPC, and then created a peering connection. Further added required routes. In this setup, I can ping successfully as below: Public instance (VPC A) to Private Instance (VPC B) Private instance (VPC A) to Private Instance (VPC B) Public instance (VPC B) to Private Instance (VPC A) Private instance (VPC B) to Private Instance (VPC A) The following pings don't work: Public instance (VPC A) to Public Instance (VPC B) Private instance (VPC A) to Public instance (VPC B) Public instance (VPC B) to Public Instance (VPC A) Private instance (VPC B) to Public instance (VPC A) Can someone have a look and confirm if this is as expected or there is some additional configuration required? I tried all possible configs and even tried to analyze through Network Analyzer but didn't get any solution to make this work. Any suggestion or guidance would be appreciated.
How do you connect to a VPC Endpoint when your in a different AZ?
I have a ALB in one account (A) that I want to make available to VPCs in another account (B). I created an NLB and an VPC Endpoint in (A) and advertised it to (B). The problem is that all the VPCs in (B) that I want to share it with are in "use1-az6" and account (A) doesn't have that AZ. I've heard some talk of creating a proxy in (A) to work around things like this but I'm not sure how to do that. Is the proxy an AWS thing? Or is it just a plain EC2 instance that I install HAProxy (or something) on?
Data routing to VPC Endpoint from different AZ
I have 3 subnets in 3 different AZ. I have VPC endpoint connected to our partner's VPC Endpoint Service. This endpoint connected to each of 3 subnets. To send data to the endpoint I'm using general DNS name which resolves in 3 Internal IP addresses. In the meanwhile, I've spotted big amount of paid Cross-AZ traffic. From flow logs it is clear that it is traffic from my instances (or fargate tasks) to this VPC Endpoint. My question is: **Is it possible to force using VPC Endpoint ENI from the same AZ as origin? ** Or the only way is to use different DNS names in different AZ?
Route53 record(s) to centralize VPC interface endpoints across multiple VPCs/regions
Hi, we tried to follow both articles: \[1\] https://aws.amazon.com/blogs/networking-and-content-delivery/centralize-access-using-vpc-interface-endpoints/ \[2\] https://aws.amazon.com/blogs/architecture/using-vpc-endpoints-in-multi-region-architectures-with-route-53-resolver/ to create an organization-wide centralized access to some (S3, Api-Gateway, SSM) AWS services using VPC interface endpoints but it's not clear what record(s) I need to insert into Route53 PHZs. Adding only a domain root **alias** record (named like the zone) pointing to the VPC Endpoint as described in \[1\], doesn't work for me, applications trying to resolve resources names like: - m01olkffr5.execute-api.eu-central-1.amazonaws.com - mybucket.s3.eu.-central-1.amazonaws.com fail with "unknown host". Should I use a wildcard (*) record? Thanks in advance
AWS API Gateway private integration with mutual TLS
Is mutual TLS supported with private resource integration in HTTP API gateway? I created HTTP integration that routes traffic into private ALB's HTTP listener. After that I implemented mutual TLS by using this quide: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ While testing certificate authentication I created second set of certificates and used second set's client key and pem to authenticate successfully against first sets keystore. This is behavior should not be possible. With this configuration api gateway demands, that clients sends certificate and key, but never verifies them against specified truststore. Tested this setup by switching private integration to lambda integration and TLS operated like it should, by verifying the certificate against truststore. How to reproduce: -create HTTP API gateway API with lambda integration (used ANY /) -create custom domain for the API, with mutual TLS enabled and default endpoint disabled -create 2 set of certificates and client keys -TLS should check the validity of the client certificate and prevent mixing certificates between sets -switch lambda integration to private alb integration with HTTP listener -test TLS again by mixing certificates -API gateway accepts mixed certificates -As an side effect in this configuration gateway ignores the default endpoint disable setting and enables bypassing the TLS completely.
VPC Interface Endpoints and API Gateway called from Lambdas
I have a work problem, where for security reasons we are moving all Lambdas into VPC, and using PrivateLink for all AWS services, via Interface Endpoints added to the VPC. I am having an issue trying to call a REST API in API Gateway with an Endpoint Interface (private DNS enabled) for the execute-api service. This is fine for Private APIs, where our VPC is added to API resource policy, and we can call the API with no problems. However we need to call webhooks from one lambda, which may or may not be in AWS. Outside of AWS works fine, but to our unit test webhook (REGIONAL) REST API in the same account fails with a 403 error unless I make it private and attach the endpoint id for API Gateway. The security group on the lambda allows all outgoing traffic, and I can call the webhook from the internet via postman with no issues. I'm struggling to work out why the 403 error occurs when REGIONAL, and why it needs to be PRIVATE to work. We will be calling random webhook URLs inside and outside AWS, and my understanding was that the endpoint interface was the entry point to Private link, so that all API Gateway calls were not via the public endpoints, but otherwise behaved the same. Does anyone know what I am missing here, I can't seem to work out where I've gone wrong from the docs... Much appreciated.