What is a VPC Endpoint and where does it live?
What is a VPC endpoint and why do we need one?
If you had an application hosted on an ec2 instance – and that application needed to call another service (e.g. S3, RDS, KMS), the app would need to leave the VPC –> out to the internet –> to the service API (port 443).
So – the EC2 instance inside the VPC would need some form on internet connectivity ( either through a NAT gateway or an internet gateway or a firewall proxy such as McAfee on AWS Proxy).
VPC endpoints completely remove the need for such convoluted internet access, by providing the service with a native AWS resource (a network resource).
One can keep all traffic between the VPC and AWS KMS within the AWS network.
Where does the endpoint live?
The endpoint is a network resource that lives in your VPC. The special thing about this network resource is that it provides a Network Interface to a specific AWS service.
Creating an Endpoint
- Step 1 – When you choose one or more subnets in a VPC to use your interface endpoint, AWS creates an endpoint network interface in each selected subnet.
- Step 2 – Associate security groups with the endpoint network interface. The security group must have a rule allowing traffic between the endpoint and the resources in the VPC that need to connect to the endpoint (typically just port 443) .
- Step 3 – Optionally enable private DNS when connecting to the service, which allows requests to use the default DNS hostname. Private DNS is enabled by default for AWS and AWS Marketplace services.
- Step 4 – The owner of the service (usually AWS itself, but can also be a third party from the Marketplace) – needs to accept the endpoint creation request.
TESTING Endpoint connectivity
Once you have completed the steps above and created your VPC endpoint, how do you test it?
Note: Replace myvpc-id with your VPC endpoint ID. Replace region with the AWS Region of your interface VPC endpoint.
$ telnet myvpc-id.execute-api.region.myvpc.amazonaws.com 443
The ec2 that is making the request needs outbound 443 open. The VPC endpoint (network interface) would have a SG associated with it. That SG needs inbound 443 open.
Summary
AWS’s documentation around VPC endpoints can be a little confusing. I struggled to understand why one was needed, how to provision one – and how to successfully test a provisioned endpoint. Hopefully, this guide helps you overcome some of those questions.
Leave a Reply