How do I use an interface Amazon VPC endpoint to resolve default service domain names?

3 minute read
2

I'm using an interface Amazon Virtual Private Cloud (Amazon VPC) endpoint for an AWS service. I want to use the default service domain name to access the service through the VPC interface endpoint.

Resolution

Follow these steps to resolve service domain names for an interface VPC endpoint.

For private IPs, you must send the DNS queries to the Amazon provided DNS of the VPC where you created the interface endpoint. The Amazon provided DNS is the base of the VPC CIDR plus two.

Check that the domain name server for the DHCP option set value is AmazonProvidedDNS for the Amazon DNS server. You can also designate custom domain name servers in the DHCP option set for the VPC.

On the VPC where you created the interface VPC endpoint, Check that the DNS attributes of the VPC, DNS Hostnames and DNS Resolution, are turned on.

When you use interface VPC endpoints to access available AWS services, turn on private DNS names on the endpoint. When you turn on private DNS names, queries for the service domain name resolve to private IP addresses. These private IP addresses are the IP addresses of the elastic network interfaces that you created in each of the associated subnets for an interface endpoint. You can also use the service domain name, for example ec2.us-east-1.amazonaws.com, over AWS PrivateLink to run AWS API calls.
If private DNS names isn't turned on, then the service domain name or endpoint domain name resolves to AWS Regional public IP addresses.

If you use the default service domain name to access an interface endpoint from outside the VPC, you must configure the DNS architecture. The DNS architecture forwards DNS queries for the service domain name to the Amazon provided DNS server of the VPC where you created the interface endpoint. You can configure an Amazon Route 53 inbound endpoint in the VPC where the interface endpoint is hosted. To confirm the IP address that the service domain name resolved to, use nslookup or dig tools against the service domain name from the source network. You can also use Regional endpoint domain names on your SDK to run API calls. You can resolve the Regional endpoint domain names of the interface endpoints from any network.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Example AWS CLI command describe-instances API call:

$aws ec2 describe-instances --endpoint-url https://vpce-aaaabbbbcccc-dddd.vpce-svc-12345678.<region>.vpce.amazonaws.com

If you created a Route 53 private hosted zone for the service domain name, additional configuration might be required. Make sure that you attach the correct source VPC to the hosted zone. For more information, see How can I troubleshoot Route 53 private hosted zone DNS resolution issues? You must use VPC peering to establish connectivity from the network to the VPC, AWS Transit Gateway, and so on, to route DNS queries.

Related information

How do I configure a Route 53 Resolver inbound endpoint to resolve DNS records in my private hosted zone from my remote network?

How do I configure a Route 53 Resolver outbound endpoint to resolve DNS records hosted on a remote network from resources in my VPC?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago