- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hello,
Thanks for sharing the relevant code-snippets for your CDK Application. From this, I can see that you've configured the following:
- VPC with a subnet configuration to include
PUBLIC
(access to internet via an internet-gateway) andPRIVATE_ISOLATED
(no access to the internet) subnets. - Additionally, the CodeBuild project is configured to make use of the
PUBLIC
subnet during builds.
I'm suspecting that the build-container is unable to stream logs to CloudWatch as it was not able to connect to the CloudWatch Logs service endpoint. In order to establish internet-connectivity you would need to configure your CodeBuild project to make use of subnets of the type PRIVATE_WITH_NAT
(access to the internet via NAT).
This can be done by making the following modifications to your CDK application:
- VPC Subnet Configuration:
subnetConfiguration: [
{
name: `public-${id}-1`,
subnetType: SubnetType.PUBLIC,
cidrMask: 24
},
{
name: `private-nat-${id}-1`,
subnetType: SubnetType.PRIVATE_WITH_NAT,
cidrMask: 24
},
{
name: `isolated-${id}-1`,
subnetType: SubnetType.PRIVATE_ISOLATED,
cidrMask: 28
}
]
- CodeBuild configuration would need to select the subnets of type
PRIVATE_WITH_NAT
:
subnetSelection: { subnetType: SubnetType.PRIVATE_WITH_NAT },
Please refer to the following excerpt from the documentation Use AWS CodeBuild with Amazon Virtual Private Cloud for more details:
You need a NAT gateway or NAT instance to use CodeBuild with your VPC so that CodeBuild can reach public endpoints (for example, to run CLI commands when running builds). You cannot use the internet gateway instead of a NAT gateway or a NAT instance because CodeBuild does not support assigning Elastic IP addresses to the network interfaces that it creates, and auto-assigning a public IP address is not supported by Amazon EC2 for any network interfaces created outside of Amazon EC2 instance launches.
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
Don't you need a routetable for your public subnets to route any traffic to the IGW?