- 最新
- 投票最多
- 评论最多
You'll need to use a Custom Resource to (call the API to) get the IP of the endpoint's network interface(s) as CloudFormation doesn't expose it as a return value, which means CDK can't offer it as a property.
(Note: this code was originally written for CDK ~1.40, but should still work or be easily updatable.)
Assuming you're creating the VPC Endpoint like this:
// note: creates two endpoints because this VPC has two private subnets
const VPCEndpoints = new ec2.InterfaceVpcEndpoint(this, "APIEndpoint", {
vpc: my_vpc,
service: ec2.InterfaceVpcEndpointAwsService.APIGATEWAY,
subnets: { subnetType: ec2.SubnetType.PRIVATE },
});
Then you can create a custom resource to call the DescribeNetworkEndpoints API on them. This will be a Lambda function which CloudFormation will deploy and then invoke, and the return value from the function will have the API response in.
CDK has a helper which makes it easy to deploy a custom resource that just calls an AWS API, so we can use that. (CDK writes a little nodeJS function for us to do it, which is why I've linked to the JS SDK above.)
const eni = new custom_resources.AwsCustomResource(
this,
"DescribeNetworkInterfaces",
{
onCreate: {
service: "EC2",
action: "describeNetworkInterfaces",
parameters: {
NetworkInterfaceIds: VPCEndpoints.vpcEndpointNetworkInterfaceIds,
},
physicalResourceId: PhysicalResourceId.of(Date.now().toString()),
},
onUpdate: {
service: "EC2",
action: "describeNetworkInterfaces",
parameters: {
NetworkInterfaceIds: VPCEndpoints.vpcEndpointNetworkInterfaceIds,
},
physicalResourceId: PhysicalResourceId.of(Date.now().toString()),
},
policy: {
statements: [
new iam.PolicyStatement({
actions: ["ec2:DescribeNetworkInterfaces"],
resources: ["*"],
}),
],
},
}
);
We can now use the getResponseField()
method on the eni
object to read the response values from the API call, and then use them to create an ALB Target Group.
// note: two ENIs in our endpoint as above, so we can get two IPs out of the response
const ip1 = eni.getResponseField("NetworkInterfaces.0.PrivateIpAddress");
const ip2 = eni.getResponseField("NetworkInterfaces.1.PrivateIpAddress");
const ALBTargetGroup = new elbv2.ApplicationTargetGroup(this, "ALBTG", {
port: 443,
targetType: elbv2.TargetType.IP,
vpc: my_vpc,
});
ALBTargetGroup.addTarget(new elbv2_targets.IpTarget(ip1));
ALBTargetGroup.addTarget(new elbv2_targets.IpTarget(ip2));
The target group can then just be used in an ALB Listener as usual.
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 10 个月前
@James_S Your solution for getting the ENI IPs work great, but I can't seem to figure out why the health checks always return
Unhealthy
(Request timed out) and when I make a request through the LB, it returns{message:"Forbidden"}
.I have the same issue as you do yargnawh but I think the reason is that enis doesn't have an open service that listen or wait for request to response
Should I be able to use ec2.InterfaceVpcEndpointAwsService.S3 in the same manner?
Use case: https://aws.amazon.com/blogs/networking-and-content-delivery/hosting-internal-https-static-websites-with-alb-s3-and-privatelink/