OpenSearch Service, Unable to create VPCe collection with a Shared Subnet

Question

I am unable to create a VPCe for OpenSearch Service (aoss) in the account that I want to host the service. The private subnets that I want to use in the account are shared via RAM from a centralized networking account.

I understand that the shared account doesn't have permission to make modifications to the VPC as it is not the owner account, but I am curious if there is any known work around for this scenario?

The only thing I can possibly think of is creating a VPC in the shared account, creating OpenSearch cluster and VPCe, then peering it with VPC in the centralized networking account, but I really do not want to have another VPC in the account.

Would there be anyway for me to create the ES VPCe in the centralized networking account and share it? That would be the optimal solution.

Answer

Hello,

The VPC endpoint is a subnet level resource and cannot be created by participant account. The VPC endpoint affects the subnet level routing hence can only be created by the subnet owner account and there is no way possible where participant account can create VPC endpoint.
[+] https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations

If you do not want to create a separate VPC in participant account, you can try getting in touch with the owner of centralized networking account and ask them to create VPC endpoint on your behalf, if possible. If centralized networking account owner creates VPC endpoint then all the participant accounts will also be able to use them.

To gain more insights about the issue related to VPC endpoint and subnet sharing, I request you to please reach out to AWS Premium Support team via a support case.

Thank you!

OpenSearch Service, Unable to create VPCe collection with a Shared Subnet

Relevanter Inhalt