EC2 in the VPC uses the global address even VPC endpoint is connected

Question

I set the VPC Endpoints toecs.ap-northeast-1.amazonaws.com

then ,in the EC2 Node in this VPC, I tested.

$dig +short ecs.ap-northeast-1.amazonaws.com
52.119.220.167

It still uses the global address.

So, I try to check this Endpoint is accessible from the Instance by Rechable Analyzer

As a result, from the Instance to the Endpoint is reachable and it uses private ip address.

outbound header
172.18.125.102/32 0-65535 TCP 172.18.125.133/32 0-65535

inbound header
172.18.125.102/32 0-65535 TCP 172.18.125.133/32 0-65535

So, The problem is that

VPC endpoint is working but EC2 node dosen't use internal DNS.

Why this happens? and how can I fix this?

(By the way, this is relevant with permission? if so ,where can I see the error code? I can't find any clue in CloudTrail)

I guess this is because of DNS.

So, I try to check the DNS

then it returns some ADDITIONAL SECTION.

[ec2-user@ip-172-18-125-133 ~]$ dig logs.ap-northeast-1.amazonaws.com NS

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.90.amzn1 <<>> logs.ap-northeast-1.amazonaws.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7113
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8

;; QUESTION SECTION:
;logs.ap-northeast-1.amazonaws.com. IN  NS

;; ANSWER SECTION:
logs.ap-northeast-1.amazonaws.com. 6745 IN NS   ns-727.awsdns-26.net.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS   ns-2000.awsdns-58.co.uk.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS   ns-261.awsdns-32.com.
logs.ap-northeast-1.amazonaws.com. 6745 IN NS   ns-1057.awsdns-04.org.

;; ADDITIONAL SECTION:
ns-727.awsdns-26.net.   72139   IN      A       205.251.194.215
ns-727.awsdns-26.net.   72139   IN      AAAA    2600:9000:5302:d700::1
ns-2000.awsdns-58.co.uk. 81896  IN      A       205.251.199.208
ns-2000.awsdns-58.co.uk. 81896  IN      AAAA    2600:9000:5307:d000::1
ns-261.awsdns-32.com.   2908    IN      A       205.251.193.5
ns-261.awsdns-32.com.   2908    IN      AAAA    2600:9000:5301:500::1
ns-1057.awsdns-04.org.  55934   IN      A       205.251.196.33
ns-1057.awsdns-04.org.  55934   IN      AAAA    2600:9000:5304:2100::1

;; Query time: 5 msec
;; SERVER: 128.1.100.205#53(128.1.100.205)
;; WHEN: Thu Aug 10 10:56:47 2023
;; MSG SIZE  rcvd: 364

I checked the DHCP option set of VPC.

There are multiple domain name server such as

128.1.100.xxx,128.1.100.xxx,AmazonProvidedDNS

Is it relevant?

score 0 · Answer 1 · answered Aug 10 '23 at 11:24

0

You have to enable private dns names for the endpoint.

answered Aug 10 '23 at 11:24

Marcin

215,873
14
235
294

Thank you for your comment, but private dns names of the endpoint is enabled. – whitebear Aug 10 '23 at 12:13
I found there are multiple domain name servers in DHCP Option set . I updated the article. – whitebear Aug 10 '23 at 16:27

EC2 in the VPC uses the global address even VPC endpoint is connected

1 Answers1