AWS VPC Interface Endpoints
A VPC Endpoint enables you to connect the VPC to your AWS services without the need of an Internet Gateway, NAT device, VPN or a AWS Direct Connect connection. Instances in your VPC doesn't use public IP addresses to communicate with AWS service, instead it uses VPC Endpoint for that. There are two types of VPC endpoints: Interface Endpoints and Gateway Endpoints. A VPC Gateway Endpoint is a gateway in your route table that is a target to a specified route for the required AWS service. VPC Interface Endpoint creates a Network Interface in the VPC IP range using which VPC is able to communicate with AWS services. It can also be useful when you have AWS Direct connect setup, which can route the traffic to AWS services via VPC Interface Endpoint .
VPC Interface Endpoint Experiment
We will do an experiment where in EC2 instance is able to access the AWS services with the help of VPC endpoints. Here, we consider EC2 service as the AWS service to be accessed. Without configuring VPC interface endpoints, you cannot access EC2 instance detail from your private EC2 instances. So we will configure VPC interface endpoint.
Name of the various AWS resources like Network/IP address etc. are arbitrary and you have the freedom to choose your own. Experiment involves following steps.
- Create VPC and Public/ Private subnets
- Create Instances in Private Subnet
- IAM Role EC2 info Read access from EC2
- Enable VPC DNS hostnames property
- Create port 443 enabled Security Group
- Create VPC Interface Endpoint
- Test the Configuration
- Create VPC and Public/Private Subnets: I have created a VPC with CIDR 10.0.0.0/6. Two Subnets(10.0.1.0/24 and 10.0.2.0/24) are created like below. 10.0.1.0/24 is public and attached to a Internet Gateway. 10.0.2.0/24 is private and doesn’t have route to internet.
2) Create Instance in Private Subnet: Create two EC2 instances, one in public Subnet and the other in the private Subnet. SSH to both instances and make sure that you can access both.
3) IAM Role EC2 info Read access from EC2: Access IAM service and create IAM Role which has EC2Read access from EC2 service. Attach this IAM Role to the both EC2 instances.
Login to the both public/private EC2 instances and try to access EC2 instance details by executing the command below. Make sure that you have configured AWS CLI for ap-southeast-1 using aws configure command.
# aws ec2 describe-instances
You get success result from the public instance but not from private instance since there is no interface to the EC2 service.
4) Enable VPC DNS hostnames property : Select VPC and click Actions and then Edit DNS hostnames.
When the window opens Enable DNS hostnames and Save.
Create port 443 enabled Security Group: Your instance should be able to talk to EC2 service using port 443. So we a create a Security Group and will be attached to Interface Endpoint later while its creation.
Create VPC Endpoint: Search for the VPC services in AWS web console. In the left pane select Endpoints. Click Create Endpoint.
When the window opens, fill the options like below. Select your VPC. Make sure that you have selected private Subnet in the list below. These are the Subnets where interfaces will be created automatically. Use the Security Group you have created from the previous step.
Once Endpoint is created, Access EC2 service and observe that a Network Interface created with an IP address belong to private Network ID.
Testing the Configuration:
Now, Login to the private EC2 instance and try to access EC2 instance detail by executing the command below
#aws ec2 describe-instances
You can access instance details even when communication to internet is not possible from the private EC2 instance.
Disclaimer: This experiment is accomplished in test environment. You are requested to verify your setup thoroughly before you implement in a production environment.
Related Blog:
