AWS Elasticsearch vpc endpoint and private vpc domain
Question
I am trying to figure out how the VPC endpoint's works with a private internal domain in a private hosted zone created with the VPC itself.
For instance:
I have a VPC ( vpc_1 ) and I have an Elasticsearch (es) cluster running inside this VPC.
I have configured a route53 private hosted zone, with vpc_1.
I am not able to have an alias A record for an internal domain like es.mydomain.local that would resolve Elasticsearch internally within services.
But, I am able to add a CNAME, that points to the vpc endpoint. The problem with this approach is, the VPC endpoint has its own SSL certificate and I am unable to use new domain. https://es.mydomain.local to connect to my ES cluster.
I can mark my requests as insecure and do the call's ie. curl https://es.mydomain.local --insecure but this is not sustainable for production workloads.
In all honesty, I don't think I need HTTPS for internal load anyways since the cluster is not public by design. But, this is something I don't have control over because the vpc endpoints are https, by default.
AWS suggests that I put a load balancer in front of the ES cluster and then use an alias. This works but is a costly approach compared to having this at route53.
Does anyone have any experience with a similar situation?
1 answers
solution1
0 2021-01-19 14:53:19
AWS recently added the feature you're looking for:
NOTE: the note in the blue area of the screenshot - you still need to create the CNAME record. Also it takes some time (minutes) to fully propagate.
Additionally if you're using terraform you'd probably want to upvote this issue which should add the support for defining custom endpoints: https://github.com/hashicorp/terraform-provider-aws/issues/16059
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.