- In VPC A, I've set up an API Gateway private API endpoint
(xxxxxxxxxx.execute-api.eu-central-1.amazonaws.com
)
- I have set up a VPC peering link between VPC A and VPC B. DNS resolution has been enabled
- Both VPCs have DNS names and DNS resolution enabled.
- Instances in VPC A can reach the API endpoint successfully.
Instances in VPC B can resolve DNS names of instances in VPC A and vice versa.
HERE IS THE PROBLEM
- Instances in VPC B cannot resolve
execute-api.eu-central-1.amazonaws.com
TRIED USING ROUTE53 RESOLVER ENDPOINTS
- I set up a Route53 inbound endpoint in VPC A
resource "aws_route53_resolver_endpoint" "inbound_resolver_ep" {
name = "private-api-inbound-resolver-endpoint"
direction = "INBOUND"
security_group_ids = [aws_security_group.inbound_resolver_ep_sg.id]
ip_address {
subnet_id = aws_subnet.private_sn_az1.id
ip = "10.0.1.10"
}
ip_address {
subnet_id = aws_subnet.private_sn_az2.id
ip = "10.0.2.10"
}
tags = {
Name = "private-api-inbound-resolver-endpoint"
}
}
In VPC B I setup an outbound Route53 endpoint with 1 resolver rules
resource "aws_route53_resolver_endpoint" "outbound_resolver_ep" {
name = "private-api-outbound-resolver-endpoint"
direction = "OUTBOUND"
security_group_ids = [aws_security_group.outbound_resolver_ep_sg.id]
ip_address {
subnet_id = aws_subnet.api_client_pri_sn_az1.id
ip = "172.128.1.10"
}
ip_address {
subnet_id = aws_subnet.api_client_pri_sn_az2.id
ip = "172.128.2.10"
}
tags = {
Name = "private-api-resolver-endpoint"
}
}
resource "aws_route53_resolver_rule" "private_api_resolver_rule" {
name = "private-api-resolver-rule"
domain_name = var.private_api_domain_name
rule_type = "FORWARD"
resolver_endpoint_id = aws_route53_resolver_endpoint.outbound_resolver_ep.id
target_ip {
ip = "10.0.1.10"
}
target_ip {
ip = "10.0.2.10"
}
tags = {
Name = "private-api-resolver-rule"
}
}
RESULTS
- Same as before. I can resolve instance DNS names in both VPCs. Instances in VPC B can resolve the Interface Endpoint of the private API Gateway. But instances in VPC B cannot resolve the DNS name of the private API Gateway endpoint.
sh-5.2$ nslookup scnejgvlzb.execute-api.eu-central-1.amazonaws.com
Server: 172.128.0.2
Address: 172.128.0.2#53
** server can't find scnejgvlzb.execute-api.eu-central-1.amazonaws.com: NXDOMAIN
sh-5.2$ curl -X POST https://scnejgvlzb.execute-api.eu-central-1.amazonaws.com/dev/claim
curl: (6) Could not resolve host: scnejgvlzb.execute-api.eu-central-1.amazonaws.com
sh-5.2$ nslookup vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Server: 172.128.0.2
Address: 172.128.0.2#53
Non-authoritative answer:
Name: vpce-0e7d18d5586aefb59-o8c71fb8-eu-central-1a.execute-api.eu-central-1.vpce.amazonaws.com
Address: 10.0.1.199
sh-5.2$ nslookup ip-10-0-1-97.eu-central-1.compute.internal
Server: 172.128.0.2
Address: 172.128.0.2#53
Non-authoritative answer:
Name: ip-10-0-1-97.eu-central-1.compute.internal
Address: 10.0.1.97
sh-5.2$
sh-5.2$ ping ip-10-0-1-187.eu-central-1.compute.internal
PING ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187) 56(84) bytes of data.
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=1 ttl=127 time=0.299 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=2 ttl=127 time=0.432 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=3 ttl=127 time=0.470 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=4 ttl=127 time=0.406 ms
64 bytes from ip-10-0-1-187.eu-central-1.compute.internal (10.0.1.187): icmp_seq=5 ttl=127 time=0.412 ms
^C
--- ip-10-0-1-187.eu-central-1.compute.internal ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.299/0.403/0.470/0.056 ms
sh-5.2$
sh-5.2$ curl http://ip-10-0-1-187.eu-central-1.compute.internal
<html><body><h1>It works!</h1></body></html>
sh-5.2$
NB
- This is my first time working with R53 resolver endpoints so I might be missing something.
- the project is deployed with Terraform. In the project, VPC A is called
api_vpc
and VPC B is called client_vpc
- curl to HTTP port 80 and pings to DNS names from
client_vpc
instances to api_vpc
work.
- But client_vpc cannot
resolve execute-api.eu-central-1.amazonaws.com
Hi Andrei,
Thanks for the detailed breakdown.
My errors were on points 2 and 3. So to resolve the DNS for the private API Gateway endpoint in VPC B, I did the following;
aws_route53_resolver_rule_association
resource to associate the resolver rule with VPC BThanks again.