Does an AWS VPC Endpoint Interface require an Internet Gateway
Question
I'm trying to connect the following services to a VPC with a public and private subnet.
Any traffic should not traverse the public internet.
Services
sqs.ap-southeast-2.amazonaws.com-
ssm.ap-southeast-2.amazonaws.com -
logs.ap-southeast-2.amazonaws.com
Reading through Interface VPC Endpoints (AWS PrivateLink) , there is no mention of an IGW (Internet Gateway).
However, reading through Tutorial: Sending a Message ... , an IGW is provisioned and a route from the subnet where the EC2 instance is.
- When I don't provision an IGW, no services work.
- When I do provision and IGW, SSM works, but not SQS or CloudWatch.
Questions:
- Is an IGW required?
- What is the required routing or setup for an service endpoint such as these?
I've checked the below:
- Policy: Full Access
- Subnets: Private, Public
- Routing: Public subnet has 0.0.0.0/0 routed to IGW
- Tested IGW route in private subnet
Any help or pointers are appreciated.
1 answers
solution1
0 2019-08-31 06:10:29
Ok, so the correct answer is that an IGW is not required for the service endpoints to work.
However, not all commands work, the below commands can be used for testing.
SQS
aws sqs send-message --region {region} --endpoint-url https://sqs.{region}.amazonaws.com/ --queue-url https://sqs.{region}.amazonaws.com/{queue_id}/{queue_name} --message-body "Test"
SSM
aws ssm get-parameter --name {test-param-name}
CloudWatch Logs
aws logs describe-log-streams --log-group-name {test_log_group_name}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.