Search code examples
amazon-web-servicesvpc-endpointaws-vpc-peering

Possible to call the aws interface endpoint in a peered vpc?

I am having two vpcs, one is a mgmt vpc with all the necessary vpc interface endpoints connecting to AWS services, and another peered vpc established peering connection with the mgmt vpc. I have tried to ssh into my instance (call it instance A) in the peered vpc and call aws api through cli with the following command

aws ec2 describe-instances

but still the connection just timeout everytime.

I have checked my vpc endpoint security group and double confirmed I have set it to allow all incoming traffic from the security group attached to instance A. And my instance A's security group has set to allow all traffic egress to the vpce security group.

Anyone knows or encounter this issue before? Anything that I missed out or did wrong?

EDIT: My peered vpc has several subnets, with the only IGW located in the ingress/egress tier subnets. In the web tier subnets, there are the instances that I am trying to call the vpce there, and the subnets here have NAT gateway.

For mgmt vpc the only way to ssh in is through a jumphost instance inside the vpc.

The routing tables for web tier subnets are as follows:

Destination            Target
100.113.189.0/24       pcx-0d3974s489064s3sd
100.113.206.0/24       local
10.196.162.128/25      local

Security group for web tier subnet instances are as follows:

 Outbound
 Port Range             Protocol      Source
 All                    All           sgrp-<vpce_to_ec2>

The routing table for the subnet with vpce in mgmt vpc:

Destination            Target
100.113.206.0/24       pcx-0d3974c6890640bd2
100.113.189.0/24      local
10.196.157.128/25     local
pl-6fa54006           vpce-<this_is_for_s3>

For the vpce to ec2 security group:

Inbound
Port Range             Protocol      Source
All                    All           sgrp-<web_tier_instance>
All                    All           100.113.189.0/24

Note that each vpc has assigned with two cidr blocks. Also there is s3 endpoint gateway in mgmt vpc as well

Solution

  • Based on the comments.

    I tried to reproduce the issue and the OP's architecture and can verity that the connection to endpoint works if --endpoint-url is used.

    aws ec2 describe-instances --endpoint-url vpce-05c21657a045fff54-puytslup.ec2.us-east-1.vpce.amazonaws.com

    In the above, the endpoint url (vpce-05c21657a045fff54-puytslup.ec2.us-east-1.vpce.amazonaws.com) can be obtained from VPC Interface details.

    It maybe possible that enabling DNS Resolution Support for peering connection also works. In that case --endpoint-url may be not needed. However, I haven't verified that in my tests, as I only focused on solving the issue with --endpoint-url.