AWS beanstalk PrivateLink not connecting

Question

I have the following setup

• A single VPC
• 2 Public subnets across 2 AZ (containing AWS Beanstalk app with exposes an api)
• 2 Private subnets across 2 AZ (containing Lambda function)
• 1 Interface VPC Endpoint for Elastic beanstalk (Service name com.amazonaws.us-east-2.elasticbeanstalk)

Instead of creating a NAT gateway for my lambda function to be able to access the AWS Beanstalk app apis over the internet , i want to create a VPC endpoint so that i can access aws beanstalk within AWS internal network from my lambda function.

The public subnet has security groups that allow web traffic (port 80/443)

The VPC endpoint is associated with the private subnets and its security groups allow web traffic traffic(Port 80/443).

The lambda function is also associated with the private subnets and its security groups allow web traffic traffic(Port 80/443).

DNS resolution and DNS hostnames are enabled at VPC level.

I copied the Endpoint dns name to form the url that is being called by the lambda function and i get a timeout

Even after i tried all steps above, AWS Lambda cannot access the beanstalk app api.

Simplified lambda function:

def lambda_handler(event, context):
    
    http = urllib3.PoolManager()
    r = http.request('GET', 'http://vpce-**********.elasticbeanstalk.us-east-2.vpce.amazonaws.com/')
    print(r.data)
    
    # TODO implement
    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }

The Elastic beanstalk app is available over the internet at http://sample-app-dev.******.us-east-2.elasticbeanstalk.com/

What am i missing here?

Answer 1

If I understand correctly, you managed to create a VPC Endpoint which will let you access the Elastic Beanstalk AWS Service (where you can do administration for your EB instances). You did not expose your application itself deployed using Elastic Beanstalk.

I'm saying this, because in order to expose your EB application from a VPC, first you have to create an Endpoint Service which connects to a Network Load Balancer. The EB application needs to be registered as a target for this load balancer (which is easy if you have an Application Load Balancer for EB). This will give you and service name, from which you can create an Endpoint in the other VPC (consumer VPC), where you can find the service by name:

If you found your service, you can place and Endpoint into your consumer VPC to which you can connect.

Nevertheless, if both of your VPCs are in the same AWS account, having exposing a service through PrivateLink might be overkill. Probably a VPC peering would suffice.

Update - short tutorial for PrivateLink setup:

1. Create a Network Load Balancer in the VPC in which your EB application is deployed. This will ask you to create a Target Group, so open the link to create one.

2. For the Target Groups for the Load Balancer create a new one and select Application Load Balancer.

3. Register the load balancer from the EB application to the target group.

4. Make sure you select the Target Group created before for the network load balancer.

5. Wait until the load balancer provisions. It should be in the active state.

6. Go to VPC -> Endpoint Service and create a new Endpoint Service (PrivateLink). You will have to give the name of the load balancer here:

7. Grab the Endpoint Service name:

8. Go to Endpoints and search for the endpoint name:

9. Attach a security group for the Endpoint which allows HTTP/HTTPS inbound traffic from the VPC:

10. Create the Endpoints:

It might require acceptance, so go back to the Endpoint Service and accept the request.

This should also go from pending to available.

11. At this point you should be able to access the EB application using the DNS from the Endpoint.