-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VPC Endpoints of type Gateway #773
Comments
There are two steps to enabling VPC endpoints if I'm understanding this correctly? (Feel free to correct me if I'm not)
We actually do have (some) support for (2) already, and we need to make sure to integrate them properly. From the docs it looks like interface and gateway endpoints are distinct enough that it might be worth separating them out. // Gateway Endpoints
const gwep = new GatewayEndpoint(this, 'Endpoint', {
vpc: vpc,
serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`,
connectedSubnets: { /* Subnet selector for selecting RouteTableIds, defaults to ALL */ },
});
gwep.addToResourcePolicy(new PolicyStatement()....);
autoScalingGroup.connections.allowToDefaultPort(gwep); // Uses port 443 by default, grants prefix list
// Interface Endpoints
const ifep = new InterfaceEndpoint(this, 'InterfaceEndpoint', {
vpc: vpc,
privateDnsEnabled: true,
serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`,
vpcPlacement: { /* Subnet selector for placing ENIs, defaults to private */ },
connectedSubnets: { /* Subnet selector for selecting RouteTableIds, defaults to ALL */ },
securityGroup: ...,
});
autoScalingGroup.connections.allowToDefaultPort(ifep); // Uses port 443 by default, grants prefix list @leepa, this is not my area of expertise, I'm especially not 100% sure I have the distinction between |
The part about serviceName: `com.amazonaws.${new AwsRegion()}.dynamodb`, Also seems like we should be able to do better there, and people should only have to supply |
@rix0rrr when the VPC Endpoint deploys ENIs into a VPC, it needs Subnets. When it deploys gateways if needs RouteTable IDs and as such, I agree the separation makes a lot of sense - but it might confuse vs. the documentation/console that has a combined approach? |
Sure, but what do they mean! For example:
|
This should be closed now that #2104 has been merged. |
Two endpoint types require Route Table IDs:
com.amazonaws.<region>.dynamodb
com.amazonaws.<region>.s3
The issues it that VpcNetwork does not presently expose RouteTableResource objects. This means there's no clean way of doing this.
For example of how to presently do it, in Java (for an Interface endpoint):
There's two things I see are needed.
The text was updated successfully, but these errors were encountered: