- Newest
- Most votes
- Most comments
You can check the communication path using "Reachability Analyzer"
In addition, if you check CloudTrail after executing an API such as "aws s3 ls" from EC2, there is a field called "vpcEndpointId", so you can check from there.
When setting up an interface VPC Endpoint to access an AWS Service privately from within a VPC, the endpoint will 'hijack' the traffic to use the local endpoint you placed rather than the public ones. A quick way to verify this from an EC2 instance in your VPC is to SSH into it and do an NSLOOKUP on the endpoint (i.e. nslookup ec2.us-east-2-amazonaws.com - adjust accordingly). If it returns an address from the VPC's address range - you are using the endpoint. If it returns a public IP address then you will use the public endpoint. Here is an article to troubleshoot if it is not working - https://repost.aws/knowledge-center/vpc-interface-configure-dns.
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
In Cloudtrail how to filter vpcEndpointId?
is it from Event Name or EventID
The "vpcEndpointId" will be included in the event record. This means that after executing an API to S3 from a VPC with a VPC endpoint configured, we need to look for API events in CloudTrail. For example, if you execute "aws s3 ls" on EC2, the event name "ListBuckets" will be recorded in CloudTrail.
Cool. Thank you soo much