TechQA.

Resolving private API Gateway endpoint from another VPC via a VPC peering link

41 views Asked by At
  • In VPC A, I've set up an API Gateway private API endpoint (xxxxxxxxxx.execute-api.eu-central-1.amazonaws.com)
  • I have set up a VPC peering link between VPC A and VPC B. DNS resolution has been enabled
  • Both VPCs have DNS names and DNS resolution enabled.
  • Instances in VPC A can reach the API endpoint successfully.

Instances in VPC B can resolve DNS names of instances in VPC A and vice versa.

HERE IS THE PROBLEM

  • Instances in VPC B cannot resolve execute-api.eu-central-1.amazonaws.com

TRIED USING ROUTE53 RESOLVER ENDPOINTS

  • I set up a Route53 inbound endpoint in VPC A
resource "aws_route53_resolver_endpoint" "inbound_resolver_ep" {
  name = "private-api-inbound-resolver-endpoint"
  direction      = "INBOUND"
  security_group_ids = [aws_security_group.inbound_resolver_ep_sg.id]
  ip_address {
    subnet_id = aws_subnet.private_sn_az1.id
    ip = "10.0.1.10"
  }
  ip_address {
    subnet_id = aws_subnet.private_sn_az2.id
    ip = "10.0.2.10"
  }
  tags = {
    Name = "private-api-inbound-resolver-endpoint"

  }
}

In VPC B I setup an outbound Route53 endpoint with 1 resolver rules

resource "aws_route53_resolver_endpoint" "outbound_resolver_ep" {

  name      = "private-api-outbound-resolver-endpoint"
  direction = "OUTBOUND"
  security_group_ids = [aws_security_group.outbound_resolver_ep_sg.id]

  ip_address {
    subnet_id = aws_subnet.api_client_pri_sn_az1.id
    ip        = "172.128.1.10"
  }

  ip_address {
    subnet_id = aws_subnet.api_client_pri_sn_az2.id
    ip        = "172.128.2.10"
  }

  tags = {
    Name = "private-api-resolver-endpoint"
  }
}


resource "aws_route53_resolver_rule" "private_api_resolver_rule" {
  name        = "private-api-resolver-rule"
  domain_name = var.private_api_domain_name
  rule_type   = "FORWARD"
  
  resolver_endpoint_id = aws_route53_resolver_endpoint.outbound_resolver_ep.id
  target_ip     {
    ip = "10.0.1.10"
  }
  target_ip     {
    ip = "10.0.2.10"
  }
  tags = {
    Name = "private-api-resolver-rule"
  }
}

RESULTS

  • Same as before. I can resolve instance DNS names in both VPCs. Instances in VPC B can resolve the Interface Endpoint of the private API Gateway. But instances in VPC B cannot resolve the DNS name of the private API Gateway endpoint.
sh-5.2$ nslookup scnejgvlzb.execute-api.eu-central-1.amazonaws.com
Server:         172.128.0.2
Address:        172.128.0.2#53

** server can't find scnejgvlzb.execute-api.eu-central-1.amazonaws.com: NXDOMAIN

sh-5.2$ curl -X POST https://scnejgvlzb.execute-api.eu-central-1.amazonaws.com/dev/claim
curl: (6) Could not resolve host: scnejgvlzb.execute-api.eu-central-1.amazonaws.com

sh-5.2$ nslookup vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Server:         172.128.0.2
Address:        172.128.0.2#53

Non-authoritative answer:
Name:   vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Address: 10.0.1.199

sh-5.2$ nslookup ip-10-0-1-97.eu-central-1.compute.internal
Server:         172.128.0.2
Address:        172.128.0.2#53

Non-authoritative answer:
Name:   ip-10-0-1-97.eu-central-1.compute.internal
Address: 10.0.1.97

sh-5.2$

sh-5.2$ ping ip-10-0-1-187.eu-central-1.compute.internal
PING ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187) 56(84) bytes of data.
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=1 ttl=127 time=0.299 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=2 ttl=127 time=0.432 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=3 ttl=127 time=0.470 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=4 ttl=127 time=0.406 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=5 ttl=127 time=0.412 ms
^C
--- ip-10-0-1-187.eu-central-1.compute.internal ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.299/0.403/0.470/0.056 ms
sh-5.2$

sh-5.2$ curl http://ip-10-0-1-187.eu-central-1.compute.internal
<html><body><h1>It works!</h1></body></html>
sh-5.2$

NB

  • This is my first time working with R53 resolver endpoints so I might be missing something.
  • the project is deployed with Terraform. In the project, VPC A is called api_vpc and VPC B is called client_vpc
  • curl to HTTP port 80 and pings to DNS names from client_vpc instances to api_vpc work.
  • But client_vpc cannot resolve execute-api.eu-central-1.amazonaws.com

I tried setting inbound and outbound route53 resolver endpoints to resolve execute-api.eu-central-1.amazonaws.com

But it still didn't work

amazon-web-services terraform-provider-aws amazon-route53 amazon-vpc aws-vpc-peering
Original Q&A
0

There are 0 answers

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in AMAZON-ROUTE53

Related Questions in AMAZON-VPC

Related Questions in AWS-VPC-PEERING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions