0

I have a VPC created using the VPC wizard

  • one AZ
  • one Public subnet, one Private subnet
  • one NAT Gateway
  • one Gateway Endpoint for S3

I then manually created a Interface Endpoint for EC2

I launched a EC2 in the private subnet and also a bastion host in the public subnet (so that I can ssh to the EC2 in private subnet)

The question: After creating the Interface Endpoint to EC2, how do I ensure/check that the traffic is going over the endpoint and not the internet?

There are ways to check this behavior for the Gateway Endpoint - as shown here

Thanks in advance.

user10101904
  • 427
  • 2
  • 12
  • Your link has the answer. So what's exactly the issue? – Marcin May 15 '22 at 23:49
  • Use the DNS provided by the interface endpoint: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html – Ervin Szilagyi May 15 '22 at 23:49
  • @Marcin The link shows how to test the Gateway Endpoint and not the Interface Endpoint. Even if I follow the same guidelines and do "traceroute -n -T -p 443 ec2..amazonaws.com, I do not see it getting to the final destination as I would see with s3..amazonaws.com – user10101904 May 16 '22 at 01:07
  • So what do you see>? Can you update your question with the relevant information? – Marcin May 16 '22 at 01:57

1 Answers1

2

Thanks @Marcin and @ErvinSzilagyi

Turns out that I needed to have the relevant inbound rules in my SG

  • Based on the Interface Endpoint being used and the port, the security group attached to the VPC endpoint must allow incoming connections on the relevant port from private subnet of the VPC

After I enabled inbound rules on port 443 (https), I could do these tests to confirm connectivity happens only via Interface Endpoint.

Note: I am showing examples below for awsbatch - the same can be done for any Interface Endpoint (if trying a different endpoint like say smtp endpoint, make sure you change the appropriate port number in the command)

  • sudo traceroute -n -T -p 443 batch.< region >.amazonaws.com
  • sudo telnet batch.< region >.amazonaws.com 443
  • sudo nslookup < DNS Name of Batch Interface Endpoint >

sudo traceroute -n -T -p 443 batch.< region >.amazonaws.com

1  * * *
2  * * *
3  * * *
4  < IP Address >  1.313 ms  1.587 ms  1.463 ms

sudo telnet batch.< region >.amazonaws.com 443

Trying IP Address ...
Connected to batch.< region > .amazonaws.com.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

Useful link for closing Telnet connections - I had trouble getting the escape characters correct : https://www.redhat.com/sysadmin/telnet-netcat-troubleshooting

Now, if I did sudo nslookup < DNS Name of Batch Interface Endpoint > , it would give me the IP address reflected by the above 2 commands and other useful info.

Other useful links:

Hope this will help all.

user10101904
  • 427
  • 2
  • 12