Firstly, I have Fargate tasks in private subnets of a VPC and enable NAT Gateway to get connected with ECR for pulling the images & other on-premise servers via the internet. It works perfectly. Later I setup VPC endpoints for ECR (api & dkr), S3, Secrets, logs & remove NAT Gateway, it is working for communication with AWS Services but getting the problem for communicating with on-premise servers. So I enable NAT Gateway and then my application seems working perfectly with on-premise servers. But what I am still unclear is the communication with AWS Services (ECR, S3, Secrets and CloudWatch) happens via internet or private network with VPC endpoints? Please suggest me how to debug the communications.

Thank you for your advices in advance ~

I follow Use a private subnet with internet access & I can ssh into the tasks without VPC Endpoints & NAT gateway enabled. I cannot ssh when I try with VPC endpoints method as the communication happens via private link. I still cannot ssh with VPC endpoints method and NAT Gateway enabled.

--I think I should able to ssh as NAT Gateway is enabled now.-

1

There are 1 answers

1
rfestag On

The VPC endpoints you are creating are specifically "Interface Endpoints". When you create an interface endpoint, AWS will add an elastic network interface (ENI) to your specified subnets and assign it a private IP address in your subnet's address space. In general, you'll also tell AWS to add a DNS entry for that ENI which resolves the service's domain name against that IP (insetad of the public IP). You can disable this, but it kind of defeats the purpose.

This effectively means that anytime you try to resolve the hostname for that service, it should resolve to your ENI's IP address and thus go over privatelink. However, it is important to note that you need to configure your CLI/SDK for the region your ENI is in. Otherwise, it may use the generic DNS entry (which may point to us-east-1 specifically). That will resolve just fine (thanks to your NAT Gateway), but if you are running in another region, your traffic may route unexpectedly over the internet.

All of this is independent of SSH. Remember, VPC Interface Endpoints are only used to create a private IP address that can be used to route to AWS services. If you are trying to SSH into a Fargate task, that task just needs to be routable. In this particular case, your Fargate tasks are running in your VPC, and are apparently directly routable. No NAT Gateway or interface endpoints should be necessary to reach them.