I set the VPC Endpoints toecs.ap-northeast-1.amazonaws.com
then ,in the EC2 Node in this VPC
, I tested.
$dig +short ecs.ap-northeast-1.amazonaws.com
52.119.220.167
It still uses the global address.
So, I try to check this Endpoint is accessible from the Instance by Rechable Analyzer
As a result, from the Instance to the Endpoint is reachable and it uses private ip address.
outbound header
172.18.125.102/32 0-65535 TCP 172.18.125.133/32 0-65535
inbound header
172.18.125.102/32 0-65535 TCP 172.18.125.133/32 0-65535
So, The problem is that
VPC endpoint is working but EC2 node dosen't use internal DNS.
Why this happens? and how can I fix this?
(By the way, this is relevant with permission? if so ,where can I see the error code? I can't find any clue in CloudTrail
)
I guess this is because of DNS
.
So, I try to check the DNS
then it returns some ADDITIONAL SECTION
.
[ec2-user@ip-172-18-125-133 ~]$ dig logs.ap-northeast-1.amazonaws.com NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.90.amzn1 <<>> logs.ap-northeast-1.amazonaws.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7113
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8
;; QUESTION SECTION:
;logs.ap-northeast-1.amazonaws.com. IN NS
;; ANSWER SECTION:
logs.ap-northeast-1.amazonaws.com. 6745 IN NS ns-727.awsdns-26.net.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS ns-2000.awsdns-58.co.uk.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS ns-261.awsdns-32.com.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS ns-1057.awsdns-04.org.
;; ADDITIONAL SECTION:
ns-727.awsdns-26.net. 72139 IN A 205.251.194.215
ns-727.awsdns-26.net. 72139 IN AAAA 2600:9000:5302:d700::1
ns-2000.awsdns-58.co.uk. 81896 IN A 205.251.199.208
ns-2000.awsdns-58.co.uk. 81896 IN AAAA 2600:9000:5307:d000::1
ns-261.awsdns-32.com. 2908 IN A 205.251.193.5
ns-261.awsdns-32.com. 2908 IN AAAA 2600:9000:5301:500::1
ns-1057.awsdns-04.org. 55934 IN A 205.251.196.33
ns-1057.awsdns-04.org. 55934 IN AAAA 2600:9000:5304:2100::1
;; Query time: 5 msec
;; SERVER: 128.1.100.205#53(128.1.100.205)
;; WHEN: Thu Aug 10 10:56:47 2023
;; MSG SIZE rcvd: 364
I checked the DHCP option set
of VPC.
There are multiple domain name server such as
128.1.100.xxx,128.1.100.xxx,AmazonProvidedDNS
Is it relevant?