VPC Endpoints of type Gateway

[leepa]

Two endpoint types require Route Table IDs:

• com.amazonaws.<region>.dynamodb
• com.amazonaws.<region>.s3

The issues it that VpcNetwork does not presently expose RouteTableResource objects. This means there's no clean way of doing this.

For example of how to presently do it, in Java (for an Interface endpoint):

        new VPCEndpointResource(this, "test", VPCEndpointResourceProps.builder()
                .withVpcId(vpc.getVpcId())
                .withServiceName("com.amazonaws.eu-west-1.execute-api")
                .withSubnetIds(vpc.getPrivateSubnets().stream().map(VpcSubnetRef::getSubnetId).collect(Collectors.toList()))
                .build());

        new VPCEndpointResource(this, "test2", VPCEndpointResourceProps.builder()
                .withVpcId(vpc.getVpcId())
                .withServiceName("com.amazonaws.eu-west-1.dynamodb")
                .withRouteTableIds(vpc.getPrivateSubnets().stream().map(vpcSubnetRef -> ((RouteTableResource)(Objects.requireNonNull(vpcSubnetRef.tryFindChild("RouteTable")))).getRouteTableId()).collect(Collectors.toList()))
                .build());

There's two things I see are needed.

1. Expose the routeTableId on VpcSubnet.
2. Possibly look at a method on a VpcNetwork for easy / opinionated creation of the end points - something like `vpc.addEndpoint({serviceName, vpcPlacement}) ?

[rix0rrr]

There are two steps to enabling VPC endpoints if I'm understanding this correctly? (Feel free to correct me if I'm not)

1. Add the endpoint to the VPC.
2. Grant security groups access to the endpoint (by using prefix lists).

We actually do have (some) support for (2) already, and we need to make sure to integrate them properly. From the docs it looks like interface and gateway endpoints are distinct enough that it might be worth separating them out.

// Gateway Endpoints
const gwep = new GatewayEndpoint(this, 'Endpoint', {
    vpc: vpc,
    serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`,
    connectedSubnets: { /*  Subnet selector for selecting RouteTableIds, defaults to ALL */ },
});
gwep.addToResourcePolicy(new PolicyStatement()....);

autoScalingGroup.connections.allowToDefaultPort(gwep); // Uses port 443 by default, grants prefix list


// Interface Endpoints
const ifep = new InterfaceEndpoint(this, 'InterfaceEndpoint', {
    vpc: vpc,
    privateDnsEnabled: true,
    serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`,
    vpcPlacement: { /* Subnet selector for placing ENIs, defaults to private */ },
    connectedSubnets: { /*  Subnet selector for selecting RouteTableIds, defaults to ALL */ },
    securityGroup: ...,
});

autoScalingGroup.connections.allowToDefaultPort(ifep); // Uses port 443 by default, grants prefix list

@leepa, this is not my area of expertise, I'm especially not 100% sure I have the distinction between SubnetIds (vpcPlacement) and RouteTableIds (subnets from which the service is reachable? connectedSubnets) completely right.

[rix0rrr]

The part about

    serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`,

Also seems like we should be able to do better there, and people should only have to supply "dynamodb".

[leepa]

@rix0rrr when the VPC Endpoint deploys ENIs into a VPC, it needs Subnets. When it deploys gateways if needs RouteTable IDs and as such, I agree the separation makes a lot of sense - but it might confuse vs. the documentation/console that has a combined approach?

[rix0rrr]

Sure, but what do they mean! For example:

• If I deploy a Gateway Endpoint to a VPC I need to update RouteTableIds. I imagine I need to update all the RouteTables of all the subnets containing instances that need to reach the Endpoint (by default to be safe: all subnets).

  • Do I still need to update Security Groups to allow access to this Endpoint using a Prefix List? I think so but I'm not sure. Do you know?

• If I deploy an Interface Endpoint to a VPC I need to place the ENIs somewhere. I imagine I will place them in just the private subnets by default (or do I place them in all subnets?). Now, do I still need to update the route tables of all subnets, or just the route tables of the subnets where the IF endpoints have been placed? I think the answer should be all, but I'm not sure.

  • I think Security Group access should now be managed using the Security Groups attached to the ENIs, and not Prefix Lists. But again, I'm not sure.

[jogold]

This should be closed now that #2104 has been merged.