Creating AWS PrivateLink connections using AWS CloudFormation

Question

I'm setting up infrastructure with CloudFormation including a VPC with subnets and an interface VPC endpoint.

The endpoint is meant to be deployed using the subnets created as part of the stack but when I start the deployment I get the following error:

The VPC endpoint service X does not support the availability zone of the subnet: subnet-Y

The endpoint service is deployed in subnets in the following AZs:

- us-east-1a (use1-az1)
 - us-east-1b (use1-az2)
 - us-east-1c (use1-az4)

And the VPC in which I'm testing the CloudFormation stack have the subnets in the following AZs:

- us-east-1a (use1-az2)
 - us-east-1b (use1-az4)
 - us-east-1c (use1-az6)

The only matching are use1-az2 and use1-az4.

I would like to know if there's a way to automatically lookup the supported AZs by the service and match them with my subnets' AZs.

The idea is to create 4 different environments with the same setup (VPC subnets, endpoint) so as to avoid hard coding the values.

Accepted Answer

You can call [DescribeVpcEndpointServices](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcEndpointServices.html) API via custom resource lambda in your CloudFormation, filtering for the specific service and then get the list of availability zones available to that service. You can then use this information in your other resources within the stack. Example output snippet via the AWS CLI:

```
{
    "ServiceDetails": [
        {
            "ServiceName": "aws.sagemaker.us-east-1.notebook",
            "ServiceId": "vpce-svc-0e123abc123198abc",
            "ServiceType": [
                {
                    "ServiceType": "Interface"
                }
            ],
            "AvailabilityZones": [
                "us-east-1a",
                "us-east-1b",
                "us-east-1c",
                "us-east-1d",
                "us-east-1e",
                "us-east-1f"
            ],
            "Owner": "amazon",
            "BaseEndpointDnsNames": [
                "vpce-svc-0e123abc123198abc.us-east-1.vpce.amazonaws.com",
                "notebook.us-east-1.vpce.sagemaker.aws"
            ],
            "PrivateDnsName": "*.notebook.us-east-1.sagemaker.aws",
            "VpcEndpointPolicySupported": true,
            "AcceptanceRequired": false,
            "ManagesVpcEndpoints": false,
            "Tags": [],
            "PrivateDnsNameVerificationState": "verified"
        },
...
}
```

Creating AWS PrivateLink connections using AWS CloudFormation

相關內容