Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ec2: Missing and invalid global VPC endpoints #29560

Closed
nmussy opened this issue Mar 20, 2024 · 3 comments · Fixed by #29563 · May be fixed by NOUIY/aws-solutions-constructs#98, NOUIY/aws-solutions-constructs#99 or NOUIY/aws-solutions-constructs#101
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@nmussy
Copy link
Contributor

nmussy commented Mar 20, 2024

We also have an issue with global endpoints, e.g. S3_MULTI_REGION_ACCESS_POINTS. They are not supposed to have a region prefix (docs), but currently do in the CDK:

$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName'

"com.amazonaws.s3-global.accesspoint"
new CfnOutput(this, "endpoint", {
	value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name,
});

// TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint

The region is currently always prefixed:

this.name = `${prefix || defaultEndpointPrefix}.${region}.${name}${defaultEndpointSuffix}`;

I haven't checked if there are other existing cases, but aws.api.global.codecatalyst is currently missing from the endpoint list, and will run into the same issue (docs)

Originally posted by @nmussy in #29524 (comment)

@nmussy
Copy link
Contributor Author

nmussy commented Mar 20, 2024

I can take this on, we'll just have to wait for #29524 to be merged

@pahud
Copy link
Contributor

pahud commented Mar 20, 2024

@nmussy Thank you for the report.

@pahud pahud added bug This issue is a bug. p2 @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud effort/medium Medium work item – several days of effort labels Mar 20, 2024
@mergify mergify bot closed this as completed in #29563 Mar 30, 2024
mergify bot pushed a commit that referenced this issue Mar 30, 2024
### Issue # (if applicable)

Closes #29560.

### Reason for this change

The service name generated by the CDK for global VPC endpoints was incorrect, as it contained the stack's region:

```sh
$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName'

"com.amazonaws.s3-global.accesspoint"
```

```ts
new CfnOutput(this, "endpoint", {
	value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name,
});

// TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint
```

In addition, another global endpoint was missing from `InterfaceVpcEndpointAwsService`.

### Description of changes

* The `InterfaceVpcEndpointAwsService` constructor was modified to
  * I would have preferred to switch to a single object for the optional constructor properties (`prefix`, `port`, and now `global`), but couldn't make a breaking change to a publicly accessible constructor
* `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` was changed to be a global VPC endpoint
* `InterfaceVpcEndpointAwsService.CODECATALYST` was added

### Description of how you validated changes

I've added a unit test to check that the global endpoints' name were set correctly.

I also added an integration test for `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS`.
To test it, I created a publicly accessible EC2 instance on the VPC, connected to it and ran `nslookup accesspoint.s3-global.amazonaws.com` to make sure it was resolvable (see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointsPrivateLink.html)):

Without the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint:
```sh
$ nslookup accesspoint.s3-global.amazonaws.com
Server:         10.0.0.2
Address:        10.0.0.2#53

Non-authoritative answer:
*** Can't find accesspoint.s3-global.amazonaws.com: No answer
```

With the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint:
```sh
$ nslookup accesspoint.s3-global.amazonaws.com
Server:         10.0.0.2
Address:        10.0.0.2#53

Non-authoritative answer:
Name:   accesspoint.s3-global.amazonaws.com
Address: 10.0.156.75
Name:   accesspoint.s3-global.amazonaws.com
Address: 10.0.246.83
```


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
2 participants