AWS: connect to VPC endpoint in Accepter VPC from fargate task in Requester VPC
I have two VPCs within the same account and region, VPC-A and VPC-B. I have created a VPC peering connection between the two, where VPC-A is the accepter and VPC-B is the requester.
VPC-A contains a few Interface endpoints to be able to access AWS services (ECR, SSM, Logs) w/o a public IP (which works fine).
Now I'd like to start a Fargate task in VPC-B that also doesn't have a public IP, hoping I could use the peering connection to access the required endpoints in VPC-A, but I can't make it work.
When I start the fargate task in VPC-B, I get a CannotPullContainerError with the message:
request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
indicating that the endpoint can not be reached.
However, when I run a reachability analysis using the elastic network interface of the same task as source, and the desired VPC endpoint as destination, it returns a Reachable result with the expected path (IDs redacted):
I think I might be missing some configuration somewhere, but where? Or is this even possible?
Thinks DNS.
Your fargate service needs to route com.amazonaws.eu-west-1.ecr.dkr etc to an IP address in vpc-b rather than over an internet gateway.
I think when you create the endpoint and enable dns for it in vpc-a, it creates a private hosted zone with a record like:
com.amazonaws.eu-west-1.ecr.dkr = [ip.address.1, ip.address.2]
Each of the records in the array is an IP for the interface endpoint you have created. The private hosted zone is attached to VPC-A but hidden from you so you can't just attach it to VPC-B.
I don't think there is any direct configuration you are missing, i.e the intent is for the interface endpoint to work within a single vpc.
However there are ways you might make it work from vpc-b. These are untested, a bit hacky, maybe not worth the effort but could, maybe work.
Option1:
Create a private hosted for example for domain com.amazonaws.eu-west-1.ecr.dkr and attach it to vpc-b. Create an A record at the zone apex with multiple values for each of the IP addresses in vpc-a for your interface.
You would need to repeat this for all the required interfaces so could be a bit tedious. Theoretically dns would resolve this record first and route it over the peering connection to the interface IP.
Option2.
You could try adding an entry for example for:
com.amazonaws.eu-west-1.ecr.dkr=ip.address.1
You could only add one IP address for a given domain this but in theory the task should route that traffic over the peering connection to the interface.
Assumes your interface endpoint policy and security group would not block the network traffic.
Again this may not work but might point you in the direction of where your issues are, hopefully anyway
- AWS Lambda No module named 'regex._regex'
- Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
- How to reset EC2 ubuntu instance?
- How to zip files properly on mac for unzipping via python from s3?
- Issues generating CloudFront signed URLs; always Access Denied
- AWS EventBridge Pipeline - Self Managed Kafka filter not working
- aws lambda function triggering multiple times for a single event
- Trying to create AWS spot datafeed, getting error: InaccessibleStorageLocation
- Can't see my EC2 instances on the management console?
- React web app Auth UserPool not configured
- How to retrieve usage on Amazon S3 based on tag?
- AWS Amplify: How to delete the environment, when resources are already partially deleted?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- Terraform v0.11.1 : Error downloading modules: Error loading modules: open .terraform/modules/3f10921295c292995128e9e36eb: no such file or directory
- Ansible - include vars file from remote host
- How to change AWS Lamp apache root directory?
- AWS Codeartifact and Poetry auth problems with private packages
- S3 Intelligent - Tiering with snowflake managed iceberg tables
- InvalidClientTokenId error aws when trying to get caller identity
- AWS Route 53: cost of having a subdomain on another DNS provider than AWS
- Unable to connect from MySQL Workbench to AWS RDS instance
- Querying timestamp data in Athena when the timestamp format in the underlying JSON files has changed
- Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy
- During an aborted deployment, some instances may have deployed the new application version
- API Gateway V2 private integration to application load balancer always returns 503
- AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
- ELB to backend server using HTTPS with self-signed certificate
- How to pass different principals when deploying a bucket policy using terraform
- Clarification for AWS auto-scaling of instances
- Instances scaling (by ASG) but no new tasks being created