Overview of VPC Endpoints

Jul 27, 2024

Overview of VPC Endpoints

Agenda

  • Introduction to VPC Endpoints
  • Explanation of issues VPC Endpoints solve
  • Demonstration of creating and interacting with a VPC Endpoint from a Lambda function in a private subnet

Introduction to VPC Endpoints

  • Purpose: Connect VPCs to various AWS services without utilizing the public internet.

The Problem without VPC Endpoints

  • Scenario: VPC with public and private subnets, EC2 instance in private subnet.
  • Issue: EC2 instance cannot communicate with AWS services (e.g., S3) due to lack of outbound internet traffic.

Traditional Solution

  1. Create NAT Gateway: Network Address Translation to allow traffic to/from the internet.
  2. Internet Gateway: Default component for VPC allowing outbound internet traffic.
  3. Traffic Flow:
    • EC2 instance sends traffic to NAT Gateway β†’ Internet Gateway β†’ Public Internet β†’ AWS Service (e.g., S3).
    • Return path follows the same route.
  4. Issues:
    • Cost: NAT Gateways are expensive, charged hourly.
    • Security: Traffic leaves AWS Cloud, potential vulnerabilities.
    • Reliability: NAT Gateway as a single point of failure.

Solution: VPC Endpoints

  • No need for NAT Gateways
  • Stays within AWS Cloud for improved security
  • Steps:
  1. Create VPC Endpoint: Specific to the AWS service (e.g., S3).
  2. Security Groups:
    • Associate security group with VPC endpoint.
    • Associate existing security group with EC2 instance or Lambda function.
    • Configure rules for mutual communication.

Example Steps

  1. Create Security Groups:
    • Security Group for VPC Endpoint.
    • Security Group for Lambda/EC2.
  2. Configure Mutual Rules:
    • VPC Security Group: Allow inbound traffic from EC2/Lambda SG.
    • EC2 Security Group: Allow outbound traffic to VPC SG.
  3. DNS Host Resolution: Ensure it's enabled in VPC settings.

Demonstration of VPC Endpoint Setup

  • Prerequisites:
    • VPC with private subnet.
    • Default VPC can be used for walkthrough.

Steps in AWS Console

  1. Create Security Groups:
    • VPC Endpoint SG: Blank inbound/outbound rules initially.
    • Lambda SG: Blank inbound/outbound rules initially.
  2. Create VPC Endpoint:
    • Select appropriate AWS service (e.g., Step Functions).
    • Assign to private subnet.
    • Associate with the created security group.
  3. Create Lambda Function:
    • Associate with private subnet & security group.
    • Test function to ensure connectivity.
  4. Modify Security Group Rules:
    • VPC Endpoint SG: Allow all traffic from Lambda SG.
    • Lambda SG: Allow all traffic to VPC Endpoint SG.

Testing & Validation

  • Initial Test: Without rules, expect a timeout error.
  • After Rule Changes: Validate connectivity with expected AWS service errors.

Conclusion

  • VPC Endpoints simplify connectivity within the AWS Cloud.
  • Ensure proper DNS resolution and security group configuration.