1

We have 2 regions, primary and secondary where the VPC is configured so that the EC2 instances in that VPC would make requests to a private VPC endpoint that would serve up DynamoDB from that region. Our Amazon DynamoDB tables are global tables. The goal is to have our requests stay within the Amazon network for security reasons.

We have a scheduled task that would run on an EC2 instance in our primary region. We want to make it more resilient by having it failover DynamoDB requests to the secondary region in the event that the primary region DynamoDB service is degraded. This was recommend by AWS in the Availability and Durability section.

I've looked through these documentations: Endpoints for Amazon DynamoDB and Using Amazon VPC Endpoints to Access DynamoDB, but they don't seem to offer any solution. Is it even possible to make requests to a private VPC endpoint from another region?

The goal is to have multi-region resilient and good security by not having requests going out to the internet.

smac2020
  • 9,637
  • 4
  • 24
  • 38
Jimmy Vo
  • 124
  • 2
  • 11

1 Answers1

1

Unfortunately this isn't possible from the documentation at https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html:

Endpoints currently do not support cross-region requests—ensure that you create your endpoint in the same Region as your DynamoDB tables.

Also documented here: https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html#vpc-endpoints-limitations

Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

Michael Anckaert
  • 853
  • 8
  • 12
  • Are you aware of any other patterns that allow requests between multiple regions and stay within the Amazon network? – Jimmy Vo Aug 30 '21 at 14:59
  • @JimmyVo If you're using DynamoDB then have a look at Global Tables, which are multiregion, multi-active database. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GlobalTables.html – Michael Anckaert Aug 30 '21 at 15:00
  • Yes, my tables are already global tables. Which is why I know it's ok for my applications from the primary region to access DynamoDB from the secondary region and there wouldn't be any data issue. The problem is how to keep the requests within the Amazon network. – Jimmy Vo Aug 30 '21 at 15:06