Hey, I have a webhook endpoint where our service provider send a payload which I have to respond to within 2 seconds. I've been getting way too many timeout errors from the service provider, meaning I wasn't able to respond within 2 seconds. I did some digging as to when the Fargate Server gets the payload vs when the ALB receives it. I went through some of the access logs from the ALB and found that it takes about a second or so to pass the payload from ALB to the fargate server. Here's the timestamp at which the request arrived to the ALB - 15:19:20.01 and my server recieved it at - 15:19:21.69. There's over a second of difference, I wanna know how to reduce it. One of the solution I thought of was that instead of registering my domain + the URI to the service provider to send webhook to, I set my IP + the URI so there's no need of forwarding done by ALB. Let me know what you guys think. EDIT - The solution I thought of was pretty stupid because fargate provides a new IP everytime a new task is deployed (as far as I know). Also the ALB forwards the request / payload to the ECS Target Group, just throwing this fact in as well.

Hi, We have a manual setup redis ec2 instance that is maxing out the baseline bandwidth allocated for the instance, but we do not need higher CPU/Mem for the instance, what are our options? We aren't able to use ElasticCache it does fit our budget range. ``` ubuntu@ip-10-0-0-98:~$ ethtool -S ens5 NIC statistics: tx_timeout: 0 suspend: 0 resume: 0 wd_expired: 0 interface_up: 2 interface_down: 1 admin_q_pause: 0 bw_in_allowance_exceeded: 333 bw_out_allowance_exceeded: 303473 ```

I am export a NextJS static web and host it by CloudFormation distribution. However, I always need to type cloudformation-domain.net/index.html. I want to access **without index.html ** ``` https://www.cloudformation-domain-net/ ``` When I host the NextJS with Amplify, it also use CloudFront and working without the "index.html"

For example, 1. https://d2u87yfqb01lll.cloudfront.net/test/ Returns AccessDenied error. But the URL below is done responding successfully. https://d2u87yfqb01lll.cloudfront.net/test/index.html 2. https://d12dcz4jiki7qg.cloudfront.net/%e2%80%aabitcoin-straight-up-gave-me-the-middle-finger-today%e2%80%ac-reddit-bitcoin/ Returns NoSuchKey error. But the URL below is done responding successfully. https://d12dcz4jiki7qg.cloudfront.net/%e2%80%aabitcoin-straight-up-gave-me-the-middle-finger-today%e2%80%ac-reddit-bitcoin/index.html Both are setup correctly. I enbaled S3 hosting for the contents(index.html as the default page is setup). Made the bucket and all the objects under the bucket public access. ACL are both enabled. Cloudfront has default root object. Please let me know which steps I might have missed. Many thanks.

Hi, I have an issue with an Origin Request Lambda@Edge lambda. After it returns the modified request object the request throws an error and returns a 400. (I checked the requests never reached the Origin) and also the x-cache header of the response is "Error from CloudFront". Now I have a suspicion that the reason for that behavior is that the uri field is the following - "uri": "/cohesionapi/entity-preview/[media-reference:media:e44cf764-a581-4e26-903d-fc0ef5369738]" - do you think that the [ would break CloudFront, or is it a valid response/request to make? Thanks Sandor

We are attempt to update our IaC code base to CDK v2. Prior to that we're deploy entire stacks of our system in another test environment. One part of a stack creates a TLS certificate for use with our load balancer. ``` var hostedZone = HostedZone.FromLookup(this, $"{config.ProductName}-dns-zone", new HostedZoneProviderProps { DomainName = config.RootDomainName }); DnsValidatedCertificate certificate = new DnsValidatedCertificate(this, $"{config.ProductName}-webELBCertificate-{config.Environment}", new DnsValidatedCertificateProps { HostedZone = hostedZone, DomainName = config.AppDomainName, // Used to implement ValidationMethod = ValidationMethod.DNS Validation = CertificateValidation.FromDns(hostedZone) }); ``` For some reason, the synthesised template defines the hosted zone ID for that AWS::CloudFormation::CustomResource has *something else other than the actual zone ID* in that account. That causes the certificate request validation process to fail - thus the whole cdk deploy - since it cannot find the real zone to place the validation records in. If looking at the individual pending certificate requests in Certificate Manager page, they can be approved by manually pressing the [[Create records in Route 53]] button, which finds the correct zone to do so. Not sure where exactly CDK is finding this mysterious zone ID that does not belong to us? ``` "AppwebELBCertificatetestCertificateRequestorResource68D095F7": { "Type": "AWS::CloudFormation::CustomResource", "Properties": { "ServiceToken": { "Fn::GetAtt": [ "AppwebELBCertificatetestCertificateRequestorFunctionCFE32764", "Arn" ] }, "DomainName": "root.domain", "HostedZoneId": "NON-EXISTENT ZONE ID" }, "UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "App-webELBStack-test/App-webELBCertificate-test/CertificateRequestorResource/Default" } } ```

I'm sending with ajax, a payload of data and then i have a lambda setup to take that data and parse it into attributes to store into my dynamoDB. this is my github showing my index.js(lambda function) and my jque.js(file that is sending the data to the lambda via api gateway). https://github.com/dbaldw10/DynamoDWLambdaAWS is there a way to achieve this?

We have several API Gateway WebSocket APIs, all regional. As their usage has gone up, the most used one has started getting LimitExceededException when we send data from Lambda, through the socket, to the connected browsers. We are using the javascript sdk's [postToConnection](https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ApiGatewayManagementApi.html#postToConnection-property) function. The usual behavior is we will not get this error at all, then we will get several hundred spread out over 2-4 minutes. The only documentation we've been able to find that may be related to this limit is the [account level quota](https://docs.aws.amazon.com/apigateway/latest/developerguide/limits.html#apigateway-account-level-limits-table) of 10,000 per second (and we're not sure if that's the actual limit we should be looking at). If that is the limit, the problem then is that we are nowhere near it. For a single deployed API we're hitting a maximum of 3000 messages sent through the socket **per minute** with an overall account total of about 5000 per minute. So nowhere near the 10,000 per second. The only thing we think may be causing it is we have a "large" number messages going through the socket relative to the number of connected clients. For the api that's maxing at about 3000 messages per minute, we usually have 2-8 connected clients. Our only guess is there may be a lower limit to number of messages per second we can send to a specific socket connection, however we cannot find any docs on this. Thanks for any help anyone can provide

Other DNS providers allow this option to happen. Why does Route 53 refuse to let me do this? Are my DNS rights being oppressed? As an example, other DNS providers let me do the following; CNAME: test.example.com -> www.anotherexample.com TXT: test.example.com -> "dnjsakdnjasnkdsanj"

Hi, I am trying to setup an airflow application in ECS using EC2 launch type using teraform. Now I get error for webserver (saying task failed loadbalancer health check).I have tried various solutions but still it isint working. With the same code using Fargate launch type I am not receiving this error. Can you please help solve the issue

I know we can use AWS console to add PTR if I have an A records in AWS Route 53 hosted zone. But my situation is: my domain name is managed by another DNS service provider rather than AWS, so I cannot create the A record for my domain in AWS Route 53. Got the error saying "update reverse DNS failed". Any thought?

Is their a simple way to search across all hosted zones looking for records either by name or IP address. We have more than 1200 zones in Route 53. I would like to be able to search for all a records that have a specific ip IE i want to see all records that match 200.200.200.12 or iwant to search for any resource records across all zones that have txt record called verify-service. currently the only way i see to do that would be to write a script that first gets a list of all zones then search each zone individually and concatonate those in to a single response. I dont see any way to make that work quickly if it have to make a separate API call for each zone. With the api limit of 5 requests per second it would take a least 4 minutes per search and we plan on adding at least another 600 zones in the next 12 months..

Hello. One of my environments is using a Classic Load Balancer. Sometimes, the queries I run in our database take more than just one minute, so I needed to increase the idle timeout of the Load Balancer (which is one minute by default). We followed the instructions and changed it to 3600 (s). However, I'm still getting the "connection closed" message after just one minute, so the new value of the idle timeout seems to have no consequence. Is there anything else I should be doing?

Hi community, When launching AWS Client VPN on Ubuntu 22.04, it briefly opens but suddenly crashes. Do you guys plan to support the client in Ubuntu 22.04? Thanks in advance.

I am trying to use boto3 to connect to an S3 bucket from a container that is hosted on an EC2 instance within ECS. All of this is hosted on AWS GovCloud, which only allows private hosted zones in route53. Instead I have set up GoDaddy DNS to resolve my elastic load balancer URI and to manage the Amazon Certificate for https connections to the application. When I try to run the command `python manage.py collectstatic --no-input` which should upload/update any new/modified files to S3 as part of the application set up the connection times out. According to [this article](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-policies-s3) > If you're using the Amazon DNS servers, you must enable both DNS hostnames and DNS resolution for your VPC. If you're using your own DNS server, ensure that requests to Amazon S3 resolve correctly to the IP addresses maintained by AWS. How do I go about setting up a private hosted zone to manage resolution of the S3 connection since I am using by own DNS server?

I bought a domain through AWS Route53 but did not receive the verification email. Is there a way I can resend the verification email? Thanks

I have a container running in an EC2 instance on ECS. The container is hosting a django based application that utilizes S3 and RDS for its file storage and db needs respectively. I have appropriately configured my VPC, Subnets, VPC endpoints, Internet Gateway, roles, security groups, and other parameters such that I am able to host the site, connect to the RDS instance, and I can even access the site. The issue is with the connection to S3. When I try to run the command `python manage.py collectstatic --no-input` which should upload/update any new/modified files to S3 as part of the application set up the program hangs and will not continue. No files are transferred to the already set up S3 bucket. **Details of the set up:** All of the below is hosted on AWS Gov Cloud **VPC and Subnets** * 1 VPC located in Gov Cloud East with 2 availability zones (AZ) and one private and public subnet in each AZ (4 total subnets) * The 3 default routing tables (1 for each private subnet, and 1 for the two public subnets together) * DNS hostnames and DNS resolution are both enabled **VPC Endpoints** All endpoints have the "vpce-sg" security group attached and are associated to the above vpc * s3 gateway endpoint (set up to use the two private subnet routing tables) * ecr-api interface endpoint * ecr-dkr interface endpoint * ecs-agetn interface endpoint * ecs interface endpoint * ecs-telemetry interface endpoint * logs interface endpoint * rds interface endpoint **Security Groups** * Elastic Load Balancer Security Group (elb-sg) * Used for the elastic load balancer * Only allows inbound traffic from my local IP * No outbound restrictions * ECS Security Group (ecs-sg) * Used for the EC2 instance in ECS * Allows all traffic from the elb-sg * Allows http:80, https:443 from vpce-sg for s3 * Allows postgresql:5432 from vpce-sg for rds * No outbound restrictions * VPC Endpoints Security Group (vpce-sg) * Used for all vpc endpoints * Allows http:80, https:443 from ecs-sg for s3 * Allows postgresql:5432 from ecs-sg for rds * No outbound restrictions **Elastic Load Balancer** * Set up to use an Amazon Certificate https connection with a domain managed by GoDaddy since Gov Cloud route53 does not allow public hosted zones * Listener on http permanently redirects to https **Roles** * ecsInstanceRole (Used for the EC2 instance on ECS) * Attached policies: AmazonS3FullAccess, AmazonEC2ContainerServiceforEC2Role, AmazonRDSFullAccess * Trust relationships: ec2.amazonaws.com * ecsTaskExecutionRole (Used for executionRole in task definition) * Attached policies: AmazonECSTaskExecutionRolePolicy * Trust relationships: ec2.amazonaws.com, ecs-tasks.amazonaws.com * ecsRunTaskRole (Used for taskRole in task definition) * Attached policies: AmazonS3FullAccess, CloudWatchLogsFullAccess, AmazonRDSFullAccess * Trust relationships: ec2.amazonaws.com, ecs-tasks.amazonaws.com **S3 Bucket** * Standard bucket set up in the same Gov Cloud region as everything else **Trouble Shooting** If I bypass the connection to s3 the application successfully launches and I can connect to the website, but since static files are supposed to be hosted on s3 there is less formatting and images are missing. Using a bastion instance I was able to ssh into the EC2 instance running the container and successfully test my connection to s3 from there using `aws s3 ls s3://BUCKET_NAME` If I connect to a shell within the application container itself and I try to connect to the bucket using... ``` s3 = boto3.resource('s3') bucket = s3.Bucket(BUCKET_NAME) s3.meta.client.head_bucket(Bucket=bucket.name) ``` I receive a timeout error... ``` File "/.venv/lib/python3.9/site-packages/urllib3/connection.py", line 179, in _new_conn raise ConnectTimeoutError( urllib3.exceptions.ConnectTimeoutError: (<botocore.awsrequest.AWSHTTPSConnection object at 0x7f3da4467190>, 'Connection to BUCKET_NAME.s3.amazonaws.com timed out. (connect timeout=60)') ... File "/.venv/lib/python3.9/site-packages/botocore/httpsession.py", line 418, in send raise ConnectTimeoutError(endpoint_url=request.url, error=e) botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "https://BUCKET_NAME.s3.amazonaws.com/" ``` Based on [this article ](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#vpc-endpoints-policies-s3) I think this may have something to do with the fact that I am using the GoDaddy DNS servers which may be preventing proper URL resolution for S3. > If you're using the Amazon DNS servers, you must enable both DNS hostnames and DNS resolution for your VPC. If you're using your own DNS server, ensure that requests to Amazon S3 resolve correctly to the IP addresses maintained by AWS. I am unsure of how to ensure that requests to Amazon S3 resolve correctly to the IP address maintained by AWS. Perhaps I need to set up another private DNS on route53? I have tried a very similar set up for this application in AWS non-Gov Cloud using route53 public DNS instead of GoDaddy and there is no issue connecting to S3. Please let me know if there is any other information I can provide to help.

we are trying to restrict a cloudfront CDN to Spain, but on of our internet lines, located in Spain is getting a forbiden response. I have checked the info in http://whois.arin.net/rest/net/NET-*-*-*-*-1 and it is updated and correct. Where is the IP location database Amazon use for the Geolicalization ? And how to force the update of that database ? Regards

Hi, So I hosted a wordpress site on amazon lightsail, and I have attached a domain to it, now half of my site uses my domain while the other half still loads on my static ip. I have no idea why this is happening because I also have other wordpress sites and they don't have this issue. Please help me out

I have 2 cloudfront dists with alternate domain names as `a.example.com` and `b.example.com` and theyre setup in route53 so when i access either one, it gets to the correct cf dist. Now I want to create a new subdomain `c.example.com` in route53 which will use weighted routing (125-125) so the traffic is evenly split and I want to route traffic to `a.example.com` and `b.example.com`. I've setup routing, but im getting the following error when i access `c.example.com` ``` Secure Connection Failed An error occurred during a connection to c.example.com. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Learn more… ``` My cert is managed by ACM, and it has both `*.example.com` and `example.com` domains listed. My goal is to be able to create a new subdomain which can route traffic to existing cf dists. Any ideas if this is possible?

My services need the PTR record, I don't know where to add, should I ask AWS support to add the PTR DNS record for my allocated EIP? or I have to use Route 53 service etc. to do this? From the expert's answer I know we can use AWS console to add PTR if I have an A records in Route 53 hosted zone, but my situation is: my domain name is managed by another DNS service provider, rather than AWS, so I cannot create the A record in AWS Route 53. Any thought?

Is there someone who knows Spanish? I am very disappointed with the decision to switch to aws, the support is terrible, many things are very complicated, there is no CPanel where to solve the problems.

I have domains I would like to transfer into AWS, but I can't because my TLD is not currently supported.

I have an endpoint in API Gateway that I POST to, and most of the time it is successful. However, sometimes I'll receive status 524 in response with no message. Does anyone have any insight about this? I haven't been able to find any documentation related. Thanks!

I need to do this to charge my clients for data usage, so for each request I would need to get the request header with the output data transfer response and save it to s3

I am attempting to deploy two cloudfront distributions in cn-northwest-1 and I cannot seem to get ACM certificates attached to them, terraform keeps returning the following error ``` error creating CloudFront Distribution: InvalidViewerCertificate: The specified SSL certificate source isn't available in this region. │ status code: 400 ``` The ACM certificates are being generated in us-east-1 and the validation is completing successfully, but it seems that the cloudfront distribution which is created in china cannot access the certificates in the account with access to us-east-1 and RAM does not work for ACM Certificates as far as I could find. Has anyone run into the similar issue, is the only solution here using SSL/TLS certificates and manually importing them?

I have a VPC with private subnet (NAT) that has a routing table wich redirects traffic of a given IP range(Data center) to a vgw(virtual private gateway), then I have this site-to-site vpn configured with this vgw and a customer gateway, on its static routes I also had the IP range for the Data center. But can't seem to get my ec2 running ubuntu to traceroute to the corresponding VPN's Inside Ipv4 CIDR when trying to reach Data center's range. What could be wrong? VPN tunnels are up so even if I couldn't reach the Data Center, it should at least hop on the VPN IP address. Thanks in advance for any ideas!

Dear Team, I have the following setup requirements between VMware on AWS SDDC and on-Premise DC. 1. Need an encrypted VPN Solution between SDDC and On-Premise DC. 2. Need an Encrypted VPN Solution between SideCar VPC and On-Premise DC. 3. We have direct connect setup between DC and AWS. 4. Protected firewall sitting behind the edge device in on-Premise DC , encrypted VPN setup on DX need two set of public. Firewall sitting behind edge devise VPN connectivity but that firewall could not configured with public ip. The last hop where the public ip could be configured is the edge devise on the customer site. As per my understanding, I can use the public VIF on direct connect to setup the encrypted VPN connection between the client edge devise and AWS router. But the problem statement in this case is 1. How to setup the encrypted VPN solution for both SDDC and sidecar VPC? Can we route the traffic from SDDC to VTGW to TGW(of the sidecar account) and then leverage public VIF to setup encrypted VPN from TGW to customer edge devise? 2. Do we need the DX gateway to setup the encrypted VPN connectivity? 3. Encrypted VPN on DX would need to set of public IPS. What if the customer firewall is not having the option to configure the public IP for encrypted VPN ? 4. Can I use the DX setup in one OU to create the public VIF for another account in separate OU. This is required because I am looking to create the encrypted VPN connection from two OUs to the DC. Please advise with your comments or if there is any reference architecture available with VMC/AWS. Many Thanks Rio

I need to save this information as downloaded and uploaded headers and data and save to dynamodb or s3

I am working on a requirement, where we need to do some action (Email Processing (out of scope of this requirement)), whenever we receive an email in Client's Gmail or Outlook account. Since we don't own these domains, so setting up Email Receiving Pipelines via SES (https://aws.amazon.com/getting-started/hands-on/setup-email-receiving-pipeline/faq/) is out of question here. The solution that we thought of for this problem statement is Setting up a Gmail push notifications to hit AWS Api Gateway, which internally would call AWS Lambda for inserting data in SQS. Changes involved are :- AWS: 1. Create an SQS Queue. 2. Create an AWS Lambda inserting data in SQS. 3. Create an API Gateway invoking AWS Lambda. Google Cloud: 1. Create a Pub / Sub topic. 2. Create a subscription for Api Gateway url. 3. Create a watch on Gmail. The watcher would invoke topic on any change in Gmail. Can someone please validate above approach?

Hi, After I upgraded the lambda runtime to nodejs16 and run AWS codepipeline which failed with the following error: Resource handler returned message: "Invalid request provided: The function timeout is larger than the maximum allowed for functions that are triggered by a CloudFront event: 60 Max allowed: 30 Function: arn:aws:lambda:us-east-1:xxxxxxxxxxxx:function:doc-check:55 (Service: CloudFront, Status Code: 400, Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)" (RequestToken: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, HandlerErrorCode: InvalidRequest) Can anyone help me fix it please? Many thanks Del

### Purpose & Context I am trying to enable https for my lightsail instance, to do it I am following this "how to" document: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-enabling-https-on-wordpress ### Problem When bncert-tool ask me about the domain, I enter it and it shows me: Warning: The domain 'mydomain.com' does not resolve, please fix its DNS entries or remove it. when I enter my domain in the navigator it works: it jumps into my wordpress instance. ### Question What am I missing? What should I do to fix it? many thanks in advance

I'm hosting a static website via S3 buckets and CloudFront. I've set it up so that the data is stored in the www bucket and the other, non-www, bucket routes to it. Typing in the ULR with the www works perfectly. The issue I'm running into is that when I type in the URL without the www, it routes to another site with a different, but similar URL. It's been like this for about a week and nothing I do seems to change it. I've redone the hosting zones and checked multiple times and none of it seems to work. I've done something like this before with other sites I've set up so I know what I'm doing works. I'm last as to how to go about fixing this so any help would be very much appreciated.

We would like to transfer our .com.tr domain to AWS Route 53 since we have many other domains at Route 53. Can you add support for .com.tr domains in Route 53?

Hello, ### these are the steps I have completed: 1. I have configured a multi-wordpress. 2. For one of the instances I have configured an static-ip (for instance: 52.51.50.49) 3. I have acquired a domain. 4. In Route 53 I have added an A redirection to the static-ip 5. In LightSail, under Networking, I have created a DNS Zone with the domain name. I have let some time till all has been distributed and I have tested. ### Test and result When I enter the domain name in the navigator, for instance: domainname.com the result is that it redirects it to: http://52.51.50.49.nip.io/wp-signup.php?new=domainname.com ### the question is: what I have not completed in the right way ?? many thanks in advance, joapen

A site that was thought to be on another provider is being hosted by Amazon at ip address 15.197.142.173. How can I find out which account owns that ip address? I've looked through our AWS accounts and it's not in any of them.

Creating a Gateaway API via AWS Cloudformation I have a problem with JWTConfiguration when creating the authorizer. ``` Authorizer: Type: 'AWS::ApiGatewayV2::Authorizer' Properties: Name: VSTORES_Api_CognitoAuthorizer ApiId: zzzzzzzzzzzz AuthorizerType: JWT IdentitySource: - '$request.header.Authorization' AuthorizerResultTtlInSeconds: 3600 JWTConfiguration: Audience: - xxxxxxxxxxxxxxxxxxxxx Issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-xxxxxxx ``` I get the following error: > Property validation failure: [Encountered unsupported properties in {/}: [JWTConfiguration]] what am I doing wrong? PD: Obviously xxxxx and zzzz are valid values. :)

i am having a 2 GB RAM, 1 vCPU, 60 GB SSD Windows 2019 server instance with static ip,iis installed, the default port 80 is opening good, now i am having another website with port 8080, how to access the site using my lightsail instance, in the networking panel of lightsail dashboard i have allowed custom tcp port 8080 and inside the windows provided firewall access to the particular port. i am able to access a site that is hosted in port 80 externally, but a connection time out is coming for the application hosted via port 8080 . Any idea. Thanks and regards

Can I configure two TGW from Same Region (from different Accounts) with a single Direct Connect Gateway?

I'm using AWS Amplify to host a next SSR application. My environment is configured to use node 16.13.0. This is working at build time. At the moment of the deploying, the lambda@edge generated for the cloudfront remains with node 14 version. Is there any way to config node version for the lambda@edge generated in deploy step? Thanks!

I got this page after deploying a version which was previously running successfully. There's only one instance in my application and I'm getting a "degraded" integrity. As for the causes, it is stated that "Application deployment failed [...] with exit status 1 and error: Engine excution has encountered an error. Incorrect application version 'app-....' (deployment 67). Expected version 'app-...' (deployment 66)." It's my first time AWS and I'm a overall newbie... What am I missing, since the website was running smoothly before this last attemped deployment? I appreciate any help.... Ovidio (from Brazil)

How to make ALB seamlessly and instantly re-forward HTTP request to a healthy target? I am trying to configure ALB to seamlessly forward HTTP requests to another healthy target when the original target is unavailable, but not yet marked unhealthy. But I get Gateway error 502 until 2 unsuccessful healthchecks happen and the target is marked unhealthy. I have 1 ALB, 1 target group, 2 targets that pointed to 2 IPs in separate VM instances. Session stickyness is on. App cookie JSESSIONID. Tomcat is configured for Clustering. Scenario: 1. start Tomcat at node A 2. browse app http: //My-ALB-link/examples/jsp/jsp2/simpletag/hello.jsp. Node A responds. 3. start Tomcat at node B. wait until ALB marks target healthy 4. stop Tomcat at node A and quickly refresh browser - get error 502 Bad Gateway 5. wait a minute, refresh browser. Node B responds. How to configure ALB to instantly re-forward HTTP request to another node if the first node happen to be unavailable? User's wont wait while ALB makes 2 healthchecks and marks a node unhealthy. thanks, Mark

I'd like to be able to register domains under the TLDs of .ai, .ag, and .bio, could you please add support for these additional TLDs

In API Gateway, is it possible to manage usage of different resources per API Key? Like a given API Key lets you use /resource1 but not /resource2?

Hi, I have a architectual doubt, Its possible place a firewall virtual appliance in front of a regional API gateway to inspect or control the traffic from the internet agains an particular API? Thanks in advance for any hint about.

Hi all, Last 2 weeks i am facing Remote desktop connection problem. I am new in AWS. A few day back, I had received an account suspension mail because of payment due. I made all the payment done. Now i am getting this error on login with RDP. "RDP credential were use to connect did not work, please enter new credential " During this I followed some steps to solve the error: 1.) My Security Group setting:- Inbound rules are:- Http, Https, SSH, RDP, all TCP, All Traffic, Custom TCP for IPV4 and IPV6. Outbound Rules are: All Traffic, HTTP, Custom TCP, HTTPS, SSH for IPV4 and IPV6. 2.) IAM Manager :- Create Role for AmazonEc2RoleforSSM Policy This My Inline Policy ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:PutParameter" ], "Resource": [ "arn:aws:ssm:us-east-2:939764493069:parameter/EC2Rescue/Passwords/i-063933c590287f4d2" ] } ] } ``` 3.) By using System Manager Run command, Changed the current password of windows as well but it's not working. 4.) Also Tried to ping the Public IPv4 address from the local machine but it's working. firewall also take off. 5.) Also tried changing internet service provider. I don't know what am I doing wrong. Is my account is isolated ? Is my setting is wrong? Could you please provide solution.

Hi, I'd like a Lambda function to be notified when a new client connects to our AWS Client VPN endpoint so that it can take some action to update our private hosted zone in Route53. Is there any way to send a notification from our AWS Client VPN endpoint to Lambda either via SNS or Eventbridge? Many thanks in advance.

I have implemented WAF on CDN . When I download docx, excel file via CDN through android app , file is downloaded successfully and url looks like https://data.mydomain.com/doc_file But when I try to download pdf and audio wav file via CDN though android app request, the file doesn't open and prompt message "Cannot be displayed " and url looks like http://data.mydomain.com/pdf_file. Http comes instead of https. But when I disable WAF file is downloaded from this link http://data.mydomain.com/pdf_file. How to redirect Http to https for pdf download when accessed through CDN and WAF enabled? I have enabled Redirect HTTP to HTTPS in CDN behavior.

# Update I added a VPC gateway endpoint for S3 in the same region (US East 1). I selected the route table for it that the lambda uses. But still, the bug persists. Below I've included details regarding my network configuration. The lambda is located in the "api" subnet. ## Network Configuration 1 VPC 4 subnets: * public &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.0.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: public &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: public * private &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.1.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: private &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: private * api &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.4.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: api &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: api * private2-required &nbsp;&nbsp;&nbsp;&nbsp;IPv4 CIDR: 10.0.2.0/24 &nbsp;&nbsp;&nbsp;&nbsp;route table: public &nbsp;&nbsp;&nbsp;&nbsp;Network ACL: - 3 route tables: * public &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local &nbsp;&nbsp;&nbsp;&nbsp;Destination: 0.0.0.0/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: igw-xxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Destination: ::/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: igw-xxxxxxxx * private &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local * api &nbsp;&nbsp;&nbsp;&nbsp;Destination: 10.0.0.0/16 &nbsp;&nbsp;&nbsp;&nbsp;Target: local &nbsp;&nbsp;&nbsp;&nbsp;Destination: 0.0.0.0/0 &nbsp;&nbsp;&nbsp;&nbsp;Target: nat-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Destination: pl-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;Target: vpce-xxxxxxxx &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(VPC S3 endpoint) 4 network ACLs * public &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) * private &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;100: PostgreSQL TCP 5432 10.0.0.48/32 (allow) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;101: PostgreSQL TCP 5432 10.0.4.0/24 (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;100: Custom TCP TCP 32768-65535 10.0.0.48/32 (allow) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;101: Custom TCP TCP 1024-65535 10.0.4.0/24 (allow) * api &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) * \- &nbsp;&nbsp;&nbsp;&nbsp;inbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) &nbsp;&nbsp;&nbsp;&nbsp;outbound rules: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;All traffic (allow) # Update # I increased the timeout of the lambda to 5 minutes, and the timeout of the PUT request to the S3 bucket to 5 minutes as well. Before this the request itself would timeout, but now I'm actually getting a response back from S3. It is a 400 Bad Request response. The error code is `RequestTimeout`. And the message in the payload of the response is "Your socket connection to the server was not read from or written to within the timeout period." This exact same code works 100% of the time for a small payload (on the order of 1KB), but apparently for payloads on the order of 1MB it starts breaking. There is no logic in _my code_ that does anything differently based on the size of the payload. I've read similar issues that suggest the issue is with the wrong number of bytes being provided in the "content-length" header, but I've never provided a value for that header. Furthermore, the lambda works flawlessly when executed in my local environment. The problem definitely appears to be a networking one. At first glance it might seem like this is just an issue with the lambda being able to interact with services outside of the VPC, but that's not the case because the lambda _does_ work exactly as expected for smaller file sizes (<1KB). So it's not that it flat out can't communicate with S3. Scratching my head here... # Original # I use S3 to host images for an application. In my local testing environment the images upload at an acceptable speed. However, when I run the same exact code from an AWS Lambda (in my VPC), the speeds are untenably slow. I've concluded this because I've tested with smaller images (< 1KB) and they work 100% of the time without making any changes to the code. Then I use 1MB sized payloads and they fail 98% percent of the time. I know the request to S3 is the issue because of logs made from within the Lambda that indicate the execution reaches the upload request, but — almost — never successfully passes it (times out).

Hi, Would it be possible to add the domain .pt to TLD? Many thanks! Joao

I would like to deploy a multi tenant web application say `webapp.com` and I would like each customer to have their own subdomain like `app.customer1.webapp.com`, `api.customer1.webapp.com`, `app.customer2.webapp.com`, `api.customer2.webapp.com`, etc. This was each customer has their own API and Web App URL. I would like all web app urls to go to the same instance of the application but load a different configuration for each customer - each customer has their own cognito userpool. Similarly for API but I would need to authenticate based on Bearer Token and Domain used. For the backend I think I will have a dynamodb table to hold the details of each customer. The web app is NextJS app so I think I will use a fargate cluster for both the web app and api (I want to avoid API Gateway and lambda). I will also use CDK for all infrastructure so I might also use it to bootstrap each customer using a stack that consists of Route53 configs and other resources like userpool that is unique to each customer. What is the easiest way to achieve this (preferably with CDK) ?

Two questions. First, if you create a network on Amazon Managed Blockchain, then do you necessarily need to use AWS cloud storage? Or would it be possible to divide up the cloud storage among different providers? Second, Do all other members of an AMB network also need to use AWS cloud storage? If organization B wanted to join the network and insisted on using some other cloud storage provider, would it be possible for them to join the network? Or would the network operator need to launch a peer node on their behalf, using another AWS account?

Dear Forum Members, We would like to set up our own domain as the custom 'Mail From' domain within Amazon SES for several regions, i.e. London, Ireland, ... We use Cloudflare as the DNS for our domain and added the following records to Cloudflare: MX www eedback-smtp.eu-west-2.amazonses.com 10 TXT www "v=spf1 include:amazonses.com ~all" Initially, our domain was 'verified' for custom domain sending for the Ireland region and then we received an error message from AWS. For London it continues to show pending. We would very much welcome your feedback and advice. Many thanks for your help. Pairfum London

Hi!, I post this question regarding an issue that happens to us at random times. Maybe someone experienced similar situation or can give us a clue. We have three windows ec2 running inside vpc with internet access that make requests to some public api gateways. We have noticed that at random times (the last issue was April 26 and the previous time was on April 4), all the requests made from the three instances within a range of 5 minutes failed with the message "The request was aborted: Could not create SSL/TLS secure channel" These requests happens almost every minute every day during 12 o 14 hours so it didn´t fail before or after those 5-10 minutes lapse. Its like something happening at api gateway at random times. Can it be that updating api definition with swagger file or deploying to stage may cause this issue? One of the dates matches. We use us-east-1 region and use as endpoint https://xxxxxx.execute-api.us-east-1.amazonaws.com/stagexxx The status page doesn´t show any issues on those days for api gateway service. Thanks in advance

Hello. Suppose that I have the following architecture: API Gateway (service name: gateway api) -> Lambda Function (service name: gateway handler) -> API Gateway (service name: internal service) -> Lambda Function (service name: internal service handler) The "internal service" api gateway has 2 endpoints (`POST /endpointA` and `POST /endpointX`), which both proxy to the same "handler" lambda function. Depending on a feature flag, incoming requests are requests to the "gateway handler" are sent to either `POST /endpointA` or `POST /endpointX`. All of these services are set up for tracing with AWS X-ray. I want to query X-Ray to gain insights into the performance of requests send to `X` vs `A`. I tried the following query ``` service("gateway handler") AND service("internal service") AND http.url ENDSWITH "/endpointX" // and also // service("gateway handler") AND service("internal service") AND http.url ENDSWITH "/endpointA" ``` However this does not seem to work. In general I cannot query using http.url, when that http request is not the first request in a trace. Is there a way around this? Bonus points if it does not require me to add additional code to annotate traces for the xray system.

Steps to reproduce: Create EC2 instance in eu-central-1 region with following configuration - t3.small, ami-042172eb88687b43e (Windows Server 2016 Base), Public IP, igw to handle traffic. Login to the instance through RDP. Install telnet (it can be done through PowerShell with following command Install-WindowsFeature -name Telnet-Client). Open command line and try use telnet to connect 10-20 times to remote host with following command telnet 212.90.186.150 80. At least one attempt will fail with error "Connection failed". Repeat all steps above in eu-north-1 region and will see 0 errors. Is there a problem with routing in eu-central-1 region? You can also trace (tracert 212.90.186.150) to find out through which IPs/Networks the connection goes. From the 212.90.186.150 country (Ukraine) side the route is the same for both regions but when you trace from eu-central-1 it also goes through few internal IPs: 100.95.20.135, 100.100.22.2, 100.95.21.129, 100.100.4.58 and one "Frankfurt IPv4 Peering LAN". It could be a problem with this route. Could you help to solve the issue?

I'm wondering if there's a way to make the S3 path unguessable. Let's suppose I have an S3 path like this: https://s3-bucket.com/{singer_id}/album/song/song.mp3, this file will be served through CloudFront, so the path will be: https://cloundfront-dist-id.com/{singer_id}/album/song/song.mp3?signature=... (I'm using signed URLs). My question is : it is possible to make the /{singer_id}/album/song/song.mp3 not guessable by hashing it using for example Lambda or Lambda@Edge function so the client will see a url like this https://cloundfront-dist-id.com/some_hash?signature= ? Thanks in advance. https://stackoverflow.com/questions/70885356/non-guessable-cloudfront-url I am also facing issue. Question may arise why need of hash because signed url are secure. For my side, I need such url with s3 path hidden. I am using same AWS bucket for retrieving image for internal use without signed url and sharing that file to others using signed url. Internal USe CDN without signed url after CNAMe https://data.example.com/{singer_id}/album/song/song.mp3 Signed url https://secured-data.example.com/{singer_id}/album/song/song.mp3?signature=. &Expires == Since both using same AWS bucket and if someone guesses in signed url then access content https://data.example.com/{singer_id}/album/song/song.mp3?signature=. &Expires . File opens . In this scenario, I want to hide {singer_id}/album/song/song.mp3 to some new value and file is displayed under new name

I deploy AWS Load Balancer Controller and it creates and configures an application load balancer when I deploy an ingress, which is very convenient. However, the application load balancer is only created when an ingress.yaml is deployed, not when the controller is deployed. Is there a way of forcing the load balancer to be created on deployment of the Controller, before any ingresses have been deployed? I have several spring boot projects and an OAuth server deployed on my cluster - the spring boot projects' deployment require the OAuth2 server's URL. This requirement forces the deployment of the OAuth2 server separately, in order to configure/discover its hostname, before the other projects deploy. Ideally, I would like to deploy everything at once..

I recently registered a .co.uk domain thinking it could be hosted on Route 53. I later learned Route 53 isn't compatible with the storefront service that the domain was intended to point to. Cloudflare is compatible and I've moved NS authority to their platform and updated NS in Route 53. However, .co.uk domains are managed by Gandi and I also need to update NS records there. Simply updating on Route 53 didn't update Gandi. I don't have a Gandi account, how do I make these changes?

Customer would like to know if there is a CloudWatch metric, or other mechanism, to report on the number of requests against their AWS API Gateway per API Key. The goal is to distinguish how many requests are coming from each API Key.

1. registered a domain 2. checked and ensured NS records matching the DNS entries for the hosted domain 3. created a wordpress insntace in lightsail 4. attached a static ip to the instance 5. created an A record and CNAME to the static IP 6. browser window entered the www or the domain name I deleted the instance created in the first iteration. Than I created a new instance and new static IP and updated the A and CNAME with the new IP. The first instance of lightsail used to come up but after I deleted the first one and created a new one with new static IP it is not coming up. but it keeps on saying site can't be reached I have waited more than 3 days now If I goto the static ip the website comes up I also tested the record in the hosted zone screen and I do see Response returned by Route 53 to the static IP Another thing I noticed that the hosted zone name servers and lightsail name servers are different what could be the issue

Hello Everyone, I have created DNS Zone in the Networking tab of Lightsail. It is not letting me add DKIM of 2048 length. I saw some of the solutions like dividing them with double-quote but not working in Lightsail DNS. Any suggestion, please? Thanks, SPViradiya

Hello Everyone, I am using Lightsail WP for one of my sites and I've created a DNS zone. I am using the Lightsail load balancer service too. Mt domain is in Godaddy. My website keeps going down because the load balancer is changing the IP address from time to time and Godaddy A record does not allow to add LB URL as an A record. I am following below AWS guideline https://lightsail.aws.amazon.com/ls/docs/en_us/articles/add-alias-record-for-lightsail-load-balancer where I understand the step one but I have not used Route 53 anywhere. Do we need to use Route 53 compulsory or the first part "Add an A record in Lightsail" will be enough to map the domain and move DNS to AWS? I am trying to move DNS to AWS so that I can add Load balancer URL as an A record. Currently I need to ping the Lightsail LB URL and whatever IP I get, I am adding it as a A record in Godaddy.

I have a requirement to get data from aws using IAM API's , so I have access key , secret key , base url , service name and region of aws account we are trying to authenticate with bearer token , but we are getting the following error , I have generated bearer token using aws cli. URL : https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&access_token=<<token>> https://iam.amazonaws.com/?Action=ListGroups&Version=2010-05-08&Authorization=Bearer <<token>> Error : is not valid; the value of a query string parameter may not contain a '=' delimiter

Hi, I would like to register a domain ".app" TLD on Route 53. Unfortunately, it is not a supported TLD per link https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar-tld-list.html#registrar-tld-list-index-generic Can you please consider adding and let me know so I can decide to use Route 53 or some other provider? thanks

How to enable AWS WAF for CDN generated in Amplify ?

I need to manage a DNS, but I cannot find my hosted zone. I have several accounts and I do not know which account to try. I have tried all of the ones I can think of, but I cannot find this particular zone. colemanrodeo.com

I want to ask the case: I have 2 Webservers in 1 target group. I think that if the connection from ALB to only 1 between/among targets have something wrong, the TargetConnectionErrorCount will be count. When testing, I make one of my webserver become can not connect (Request timed out) by changing the Security group. I think that TargetConnectionErrorCount will be counted here, but it not. I have to make all of my targets become unhealthy to see the TargetConnectionErrorCount be count (see the attached images) Is it right that only when all the target servers in the target group healthcheck fail will the TargetConnectionErrorCount metrics be counted? Attached image here: https://live.staticflickr.com/65535/52061333803_d622b9a25c_b.jpg

My WebSocket API needs to be able to use a custom subprotocol. I have been able to do this by returning the proper Sec-WebSocket-Protocol header using AWS_PROXY lambda integration approach described in AWS docs here: https://docs.aws.amazon.com/apigateway/latest/developerguide/websocket-connect-route-subprotocol.html. The downside of that approach is that creating a dedicated lambda to just return a static header on each connect is an overkill. Is it possible to return the Sec-WebSocket-Protocol header on $connect using a Mock Integration instead? I tried playing with different response mappings of the Mock Integration but couldn't make it return this static header. It looks like you can't control the Sec-WebSocket-Protocol at all while using the Mock Integration, what about other integrations?

I registered a new domain with AWS in route53 3 days ago, I then created an ACM certificate for the domain, with the same name and used the "Create record in Route 53" functionality, 3 days later my certificate is still in "Validation pending" state even though the validation record exists. Worth noting I can access the CNAME validation record with `nslookup`, is this just a case of waiting for propagation or something, I expected 3 days or ~60hours to be long enough.

When on the website expressvpn.com I click "My Account" put in my credentials I keep getting this error: 403 ERRORThe request could not be satisfied.Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.Generated by cloudfront (CloudFront)Request ID: i50jW-L2Lggqanntmu7jEctlfL8Tmt8zPIoGk1zyAOxzPXpgOZ7uNA== (Troubleshooting steps: Powered off my cable modem, powered back on. Changed DNS hosts. Disabled MS defender. Rebooted my PC. Changed network, tried my cellphone hot spot. I've tried several different browsers, Firefox, Chrome and Vivaldi. My PC is hard-wired to a switch. Thoughts/Suggestions?

Hi, I work in an ISP Recently we have rented an IP segment, we are doing the paperwork to formalize the transfer to my region, however, in the meanwhile we are using the IPs. We detected that AWS CloudFront is providing a Geo restriction to some websites, because Route 53 is using the previous IP's Geolocation DB. How could I proceed to indicates AWS the new IPs location? Thanks so much your help and support

Hi, I have been using REST type endpoints with API gateway. APIs are defined in lot of smaller functions/lambda/microservices i.e. user Service **basePath** : user **Path** : /v1/users **custom domain**: mydomain.com So my API gateway url become : **https://mydomain.com/user/v1/users** and this works fine. and recently i tried function/Lamda URLs and via lambda url i can use only APi gwateway V2 request/response, and for that i changed my function/lambda code , But then REST API via API gateway stopped working as i was getting request in V2 format and i was using V1 format. So to make everything in sync i moved my existing API from REST to HTTP as well which use V2 request NotwI can call lambda url **https://{lambdadomain}/user/v1/users** but my original url via API gateway doesn't work **https://mydomain.com/user/v1/users** After digging bit more i found out that now my function code receive url as /v1/users and not /user/v1/users from API gateway to make it work for now i have to add two mappings in my gin/go application and it works but doesn't look good as i have to add 2 entries for every url r.GET("/user/v1/users", user.GetUserHandler) // Works with https://{lambdadomain}/user/v1/users r.GET("/v1/users", user.GetUserHandler) // Works with https://mydomain.com/user/v1/users is this expected behaviour switching from REST to HTTP ? or is it a bug? i couldn't find any documentation for it? Thanks Ravi

I am trying to add firebase TXT to my route 53 to verify it... but still the status shows INSYNC.. /change/C0784828XK9MDNWLBYHE...

Hello, CX have below workflow and would like to know if we can increase the time out. ~~ VirtualGateway -> GatewayRoute -> Virtual Service->Virtual Node ~~ By default the timeout value is 15 sec in Virtual Node configuration according to this AWS doc[1]. Also I tried increasing this value in Virtual node listener but still have issues, Also, at the moment the only concern is where can we set timeouts in Appmesh other than virtual node configuration as per the above workflow? To be able to set a timeout greater than the default value we would need to setup a virtual router and a route with a timeout greater than the default. I tried according to this doc[2] but still receiving timeout error's at 15 sec. Links: [1]https://docs.aws.amazon.com/app-mesh/latest/userguide/virtual_nodes.html [2]https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appmesh-route-httptimeout.html

Hello. I forgot to acknowledge my contact details before 15 days and my dns from route 53 was suspended. The email read: "Dear AWS customer, Your domain has been suspended because you didn't verify the email address for the registrant contact before April 28, 2022." I followed the directions, resent a confirmation email, and clicked the confirmation link sent. I recreated the hosted zone by deleting the previous zone, clicking "new zone", and added my A record pointed to my static site on S3, but I still cannot reach my domain. I am still receiving this message when I type my domain in the browser: "DNS address could not be found. Diagnosing the problem." What can I do to troubleshoot this issue? Is there something that needs to be done on my side with the domain zone settings or is this something on AWS/ICANN's side?

I am working with 2 AWS accounts, one is the root account which contains the primary Route53 hosted zone `domain.com`. The other account is the production account, and it runs our production environment, which is deployed using CDK. It contains a delegated hosted zone with the domain `prod.domain.com`. There is also an amplify application running on the production account available at `app.prod.domain.com`. The goal is to make the production application available via `app.domain.com` as it is more user-friendly. However, I have been unable to find a method that will allow me to create records in the root account hosted zone from the production account. Is there any method to do this automatically? I am aware that I can manually enter the records in the root account, but I would rather have an automated solution, as this would reduce the chance of errors and make the entire infrastructure clear to other maintainers. I have already tried to make a delegated hosted zone with the domain name `domain.com` in the production account, but that does not work.

We are working for FHIR(Fast Healthcare Interoperability Resources). We have followed “FHIR works on AWS” and deployed the CloudFormation template given by AWS in our AWS environment.Following is the template that we have deployed https://docs.aws.amazon.com/solutions/latest/fhir-works-on-aws/aws-cloudformation-template.html Requirement : we want to maintain client specific/customized ids as primary key in the server. Problem : server not allowing us to override or mainain client specific (customized ) ids as primary key .Infact , in the runtime, it is generating its own ids and ignoring the id given by us.

Hi, I created an AWS Opensearch domain in a VPC, but I can't figure out how to access it? When I am clicking on AWS Opensearch dashboard it's not opening and there is a timeout. I fould 2 solutions: EC2 instance with SSH tunnel or NGINX proxy on EC2 instance. But can I access the domain in a VPC without spinning the EC2 instance at all?

I recently created a new AWS account. On the EC2 Global View page (https://us-east-1.console.aws.amazon.com/ec2globalview/home) It lists : 55 subnets in 17 regions 17 security groups in 17 regions 17 VPCs in 17 regions Are these all some type of defaults for a new account? Or has my account already been hacked?

I'm using [this cloudformation template](https://s3.amazonaws.com/aws-neptune-customer-samples/v2/cloudformation-templates/neptune-base-stack.json) as part of a deployment of an amazon neptune db. However the NAT gateways that it creates are quite expensive. One suggestion that seems appealing is to use NAT instances instead of NAT gateways. My understanding so far is that the NAT gateways allow my db and its associated resources to make outbound network requests while remaining unavailable from the public internet. I would like to preserve that functionality while switching to NAT instances, but I'm not sure how to go about modifying the template to achieve that. Can someone please offer direction on how I can do this?

I noticed Route53 does not support .dev tld. Is there a roadmap for this, or an expected support date?

Hello, So I am using AWS Pinpoint both programatically and via the AWS Console. To make email templates I use the AWS Console. I have several images in an S3 bucket and I hide those images behind a CloudFront distribution so that they are accessible only via that distribution while the bucket is private. I have an image in the email template and in the `src` of the image I put the URL of the image behind the distribution. Outside the template, I am able to see the image on that URL. Also, before sending the email template, the images are properly displayed on the template but once I send it to an email and I open the email, I see no images, only te alternative text I have put. Why is that? How can I fix it? EDIT: I found out the problem exists only in Outlook. Do you have any idea why that is?

Hi, As mentioned in the question, my ECS tasks cannot connect to my RDS. The ECS tasks try to resolve the rds by name, and it resolves to the RDS public IP (RDS has public and private IPs). However, the security group on RDS doesn't allow open access from all IPs so the connection fails. I temporarily allowed all connections and could see that the ECS tasks are routing through the open internet to access the RDS. Reachability Analyzer checking specific tasks' Elastic Network Interface to the RDI ENI is successful, using internal routing through the peering connection. At the same time I have another server on VPC C that can connect to the RDS. All the config is similar between these two apps, including the peering connection, security group policies and routing tables. Any help is appreciated Here are some details about the VPCs VPC A - 15.2.0.0/16 [three subnets] VPC B - 111.30.0.0/16 [three subnets] VPC C - 15.0.0.0/16 [three subnets] Peering Connection 1 between A and B Peering Connection 2 between C and B Route table for VPC A: 111.30.0.0/16 : Peering Connection 1 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Route table for VPC C: 111.30.0.0/16: Peering Connection 2 15.2.0.0/16: Local 0.0.0.0/0: Internet Gateway Security groups allow traffic to RDS: Ingress: 15.0.0.0/16: Allow DB Port 15.2.0.0/16: Allow DB Port Egress: 0.0.0.0/0: Allow all ports When I add the rule: 0.0.0.0/0 Allow DB Port to the RDS, then ECS can connect to my RDS through its public IP.

In my AWS instance, I only have one network interface, and **one internal IP address** from my subnet 10.1.1.0/24, let's say it's 10.1.1.66, I have 10 EIPs, 52.2.2.1 - 52.2.2.10 as well. Can I associate these 10 public EIPs to my single internal IP 10.1.1.66? My instance has code to direct these 10 public IPs to different web services. Thanks

I have an ECS service that exposes port 8080. I want to have the load balancer, target groups and target use that port as opposed to port 80. Here is a snippet of my code: ``` const servicePort = 8888; const metricsPort = 8888; const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef'); const repository = ecr.Repository.fromRepositoryName(this, 'cloud-config-server', 'cloud-config-server'); taskDefinition.addContainer('Config', { image: ecs.ContainerImage.fromEcrRepository(repository), portMappings: [{containerPort : servicePort, hostPort: servicePort}], }); const albFargateService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'AlbConfigService', { cluster, publicLoadBalancer : false, taskDefinition: taskDefinition, desiredCount: 1, }); const applicationTargetGroup = new elbv2.ApplicationTargetGroup(this, 'AlbConfigServiceTargetGroup', { targetType: elbv2.TargetType.IP, protocol: elbv2.ApplicationProtocol.HTTP, port: servicePort, vpc, healthCheck: {path: "/CloudConfigServer/actuator/env/profile", port: String(servicePort)} }); const addApplicationTargetGroupsProps: elbv2.AddApplicationTargetGroupsProps = { targetGroups: [applicationTargetGroup], }; albFargateService.loadBalancer.addListener('alb-listener', { protocol: elbv2.ApplicationProtocol.HTTP, port: servicePort, defaultTargetGroups: [applicationTargetGroup]} ); } } ``` This does not work. The health check is taking place on port 80 with the default URL of "/" which fails, and the tasks are constantly recycled. A target group on port 8080, with the appropriate health check, is added, but it has no targets. What is the recommended way to achieve load balancing on a port other than 80? thanks

My question is about whether it is possible to build a permissioned network with Proof of Authority on Ethereum, making use of the AWS Managed Blockchain service. If possible, I would like to know the limits of gas per block that can be handled.

What I want to do is from the domain name vapeprivate.com make vapeprivate.com/fr, vapeprivate.com/es, vapeprivate.com/it to create several versions of the website at the language level. Can you give me the example of how to do in my case concretely. Currently I have a bucket created in the name of vapeprivate.com connected to the domain name vapeprivate.com with route 53

See discussion in https://stackoverflow.com/questions/61474701/aws-api-gateway-integration-response-lambda-error-regex-fails-matching-when-re/72107597#72107597 To summarise, given an API Gateway non-proxy (also know as HTTP I think) integration with a Java 8 Lambda, if the lambda handler throws an Exception but the error message in the Exception contains new line characters then the returned JSON from the API is invalid (missing required double quote characters) and doesn't match response patterns so gets the default status code (in my case 200). I'd really like to see this fixed as it is an annoying bug in AWS non-proxy integration that should be pretty easy and obvious to fix. Can this be passed to the appropriate team for fixing please?

I have followed the [prescribed procedure](https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-route-53-alias-record-for-container-service#route-53-container-service-create-record-set-json) to configure Route53 to make our site live. I created a .json file with the required information: - LightsailContainerServiceHostedZoneID - hosted zone ID - PathToJsonFile However, I am stuck when trying to execute the following commend : ``` aws route53 change-resource-record-sets --hosted-zone-id XXXXXXXXXXXXXX --change-batch file:///{User}/Downloads/Route53/change-resource-record-sets.json ``` I get the same errors: - `Error parsing parameter '--change-batch': Unable to load paramfile file:///{User}/Downloads/Route53/change-resource-record-sets.json: [Errno 2] No such file or directory: '/{User}/Downloads/Route53/change-resource-record-sets.json'` Local Machine is MacOS. Could be just my ignorance to find the correct local path.