Using InterfaceVPCEndpoint is awkward for custom PrivateLink connections
See original GitHub issue-
I’m submitting a …
- 🪲 bug report
- 🚀 feature request
- 📚 construct library gap
- ☎️ security issue or vulnerability => Please see policy
- ❓ support request => Please see note at the top of this template.
-
What is the current behavior?
Using InterfaceVPCEndpoint
seems oriented toward creating endpoints for AWS-managed
services. This makes it awkward to use for connecting to custom VPC Endpoint Services.
Specifically:
-
The
privateDNSEnabled: true
default doesn’t work for custom VPC Endpoint services outside of AWS Marketplace.service com.amazonaws.vpce.us-west-2.vpce-svc-abc123 does not provide a private DNS name
. -
Getting the primary DNS name (i.e. the DNS entry that points to other AZs) is challenging. Something like this does not work:
this.baseLambdaFunction = new lambda.Function(this, 'Resource', {
runtime: props.runtime,
handler: props.handler,
code: lambda.Code.asset(props.zipPath),
vpc: props.vpc,
environment: {
MY_SERVICE_HOST: vpcEndpoint.vpcDNSEntries[0] // => "#{Token[TOKEN.24]}"
},
memorySize: props.memorySize,
});
Instead, getting that value requires several Cfn functions:
const firstEntry = cdk.Fn.select(0, endpoint.attrDnsEntries);
const entryParts = cdk.Fn.split(':', firstEntry);
const primaryDNSName = cdk.Fn.select(1, entryParts);
- The current
service
property expects oneport
which is presumptuous because services can listen on many ports.
- What is the expected behavior (or behavior of feature suggested)?
It may be the case that the intended use of InterfaceVPCEndpoint may be different enough
from connecting to custom VPC Endpoint Services to warrant a new class. I don’t have any
good names but maybe CustomVPCEndpoint
. This new construct would address the 3 issues
noted above.
At the least, it would be nice if InterfaceVPCEndpoint had a primaryDNSName
method so that users don’t need to know the exact format of this Cfn value
to get a DNS name.
- What is the motivation / use case for changing the behavior or adding this feature?
Make using custom PrivateLink connections with CDK more convenient.
-
Please tell us about your environment:
- CDK CLI Version: 1.3.0
- Module Version: 1.3.0
- OS: OSX Mojave
- Language: TypeScript
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:8 (6 by maintainers)
@mitchlloyd the private DNS portion is fixed as of https://github.com/aws/aws-cdk/pull/5987/
I ran into this while trying to set up privatelink for ElasticSearch Cloud
It seems that ElasticSearch did not set up a default dns, so
privateDnsEnabled
does not work for thecom.amazonaws.vpce.us-east-1.vpce-svc-0e42e1e06ed010238
service. Instead you have to create your own private hostedZone with a Cname that maps*
to your private endpoint dns.Naively, I attempted:
This failed with:
Replacing the CnameRecord declaration with:
worked!