-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2: Missing and invalid global VPC endpoints #29560
Closed
nmussy opened this issue
Mar 20, 2024
· 3 comments
· Fixed by #29563 · May be fixed by NOUIY/aws-solutions-constructs#98, NOUIY/aws-solutions-constructs#99 or NOUIY/aws-solutions-constructs#101
Closed
ec2: Missing and invalid global VPC endpoints #29560
nmussy opened this issue
Mar 20, 2024
· 3 comments
· Fixed by #29563 · May be fixed by NOUIY/aws-solutions-constructs#98, NOUIY/aws-solutions-constructs#99 or NOUIY/aws-solutions-constructs#101
Labels
@aws-cdk/aws-ec2
Related to Amazon Elastic Compute Cloud
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p2
Comments
I can take this on, we'll just have to wait for #29524 to be merged |
@nmussy Thank you for the report. |
pahud
added
bug
This issue is a bug.
p2
@aws-cdk/aws-ec2
Related to Amazon Elastic Compute Cloud
effort/medium
Medium work item – several days of effort
labels
Mar 20, 2024
mergify bot
pushed a commit
that referenced
this issue
Mar 30, 2024
### Issue # (if applicable) Closes #29560. ### Reason for this change The service name generated by the CDK for global VPC endpoints was incorrect, as it contained the stack's region: ```sh $ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName' "com.amazonaws.s3-global.accesspoint" ``` ```ts new CfnOutput(this, "endpoint", { value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name, }); // TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint ``` In addition, another global endpoint was missing from `InterfaceVpcEndpointAwsService`. ### Description of changes * The `InterfaceVpcEndpointAwsService` constructor was modified to * I would have preferred to switch to a single object for the optional constructor properties (`prefix`, `port`, and now `global`), but couldn't make a breaking change to a publicly accessible constructor * `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` was changed to be a global VPC endpoint * `InterfaceVpcEndpointAwsService.CODECATALYST` was added ### Description of how you validated changes I've added a unit test to check that the global endpoints' name were set correctly. I also added an integration test for `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS`. To test it, I created a publicly accessible EC2 instance on the VPC, connected to it and ran `nslookup accesspoint.s3-global.amazonaws.com` to make sure it was resolvable (see [Configuring a Multi-Region Access Point for use with AWS PrivateLink](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointsPrivateLink.html)): Without the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint: ```sh $ nslookup accesspoint.s3-global.amazonaws.com Server: 10.0.0.2 Address: 10.0.0.2#53 Non-authoritative answer: *** Can't find accesspoint.s3-global.amazonaws.com: No answer ``` With the `InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS` interface endpoint: ```sh $ nslookup accesspoint.s3-global.amazonaws.com Server: 10.0.0.2 Address: 10.0.0.2#53 Non-authoritative answer: Name: accesspoint.s3-global.amazonaws.com Address: 10.0.156.75 Name: accesspoint.s3-global.amazonaws.com Address: 10.0.246.83 ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
This was referenced May 23, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
@aws-cdk/aws-ec2
Related to Amazon Elastic Compute Cloud
bug
This issue is a bug.
effort/medium
Medium work item – several days of effort
p2
We also have an issue with global endpoints, e.g.
S3_MULTI_REGION_ACCESS_POINTS
. They are not supposed to have a region prefix (docs), but currently do in the CDK:The region is currently always prefixed:
aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts
Line 510 in 0fee99b
I haven't checked if there are other existing cases, but
aws.api.global.codecatalyst
is currently missing from the endpoint list, and will run into the same issue (docs)Originally posted by @nmussy in #29524 (comment)
The text was updated successfully, but these errors were encountered: