I am able to connect CodeBuild with CodeCommit via NAT gateway in public subnet -> Internet Gateway. As both CodeCommit & CodeBuild are on AWS, I am trying to avoid using Internet Gateway. Here's what I have done so far - Created endpoint for CodeCommit - Attached it to private subnet - Configured CodeBuild to use the same subnet I am curious on what can be done here to avoid using Internet Gateway.

I chose wrong endpoint [CodeCommit](https://github.com/JigarProjects/Bin/blob/main/CodeCommitEndpoints.png). After choosing "git-codecommit" in Endpoint.

Is it possible to connect CodeBuild to CodeCommit over PrivateLink ?

I am able to connect CodeBuild with CodeCommit via NAT gateway in public subnet -> Internet Gateway. As both CodeCommit & CodeBuild are on AWS, I am trying to avoid using Internet Gateway.

Here's what I have done so far

Created endpoint for CodeCommit
Attached it to private subnet
Configured CodeBuild to use the same subnet

I am curious on what can be done here to avoid using Internet Gateway.

Topics

Developer Tools Networking & Content Delivery

Tags

AWS CodeCommit AWS PrivateLink

Language

English

rePost-User-2082718

asked 2 years ago1031 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

So long as CodeBuild has network connectivity to your CodeCommit endpoint, and the DNS resolution that CodeBuild sees for the CodeCommit service is overridden to point to that endpoint, then CodeCommit will be accessed without using the IGW. DNS resolution is overridden via a Private Hosted Zone (PHZ). The way it works within a single VPC is that you set PrivateDnsEnabled=true for the VPC Endpoint when you create it, which sets up an AWS-managed PHZ associated with the VPC.

See https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ for more info.

EXPERT

skinsman

answered 2 years ago

EXPERT

Antonio_Lagrotteria

reviewed a month ago

rePost-User-2082718
2 years ago

Created PHZ for git-codecommit.us-east-1.amazonaws.com

Added DNS "A" record for *.git-codecommit.us-east-1.amazonaws.com and pointed it to the endpoint - 10.10.10.229 in my case

On CodeBuild now I get "CLIENT_ERROR: Get "https:// git-codecommit.us-east-1.amazonaws.com/v1/xxxxxk": dial tcp: lookup git-codecommit.us-east-1.amazonaws.com on 10.10.10.2:53: no such host for primary source and source version refs/heads/master"

I must have misconfigured something here.
skinsman EXPERT
2 years ago
If you're not sharing across VPCs, it's easiest to set PrivateDnsEnabled=true and let AWS manage the PHZ for you. Though of course you can set "false" instead and do your own as it sounds like you're doing. The PHZ would normally contain an Alias record mapping the service DNS name to the VPC Endpoint name rather than a regular A record mapping to an IP address. For example an SMS PHZ of ours has:

Record name = sms.ap-southeast-2.amazonaws.com

Value = vpce-xxxxxxxxxxxxxxxxx-xxxxxxxx.sms.ap-southeast-2.vpce.amazonaws.com.

Alias = Yes

You don't need "*." on the front of the record name.
rePost-User-2082718
2 years ago
VPC has "DNS hostnames" & "DNS resolution" enabled. Can I set "PrivateDnsEnabled=true" using console?

So far I have tried following:

Created Private Hosted Zone in Route 53 for git-codecommit.us-east-1.amazonaws.com

Added A record using alias to point to the endpoint

Getting "CLIENT_ERROR: Get "https:// git-codecommit.us-east-1.amazonaws.com/v1/repos/Test/info/refs?service=git-upload-pack": x509: certificate is valid for codecommit.us-east-1.amazonaws.com, *.codecommit.us-east-1.vpce.amazonaws.com, not git-codecommit.us-east-1.amazonaws.com for primary source and source version refs/heads/master"

Deleted old private hosted Zone

Created new private hosted Zone for codecommit.us-east-1.amazonaws.com

Added A record using alias to point to the endpoint

Getting "CLIENT_ERROR: Get "https:// git-codecommit.us-east-1.amazonaws.com/v1/repos/Test/info/refs?service=git-upload-pack": dial tcp 52.94.226.180:443: i/o timeout for primary source and source version refs/heads/master"

I chose wrong endpoint CodeCommit. After choosing "git-codecommit" in Endpoint.

rePost-User-2082718

answered 2 years ago

Relevant content

Does CodeBuild support cross-account access with CodeCommit?
Accepted Answer
kopaka
asked 5 years ago
Pass CommitId of a CodeCommit tag to CodeBuild project
mumbo
asked 5 years ago
How to use codecommit submodules in CodeBuild
Zechy
asked 2 years ago
Is it possible to clone a CodeCommit repository from a different account in a CodeBuild project?
Andy Wu
asked 22 days ago
Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?
AWS OFFICIALUpdated 2 years ago
I'm seeing inbound traffic in the VPC flow logs for my public NAT gateway. Is my public NAT gateway accepting inbound traffic from the internet?
AWS OFFICIALUpdated a year ago
How can I monitor packet loss and latency from AWS to an on-premises network over an internet gateway or NAT gateway?
AWS OFFICIALUpdated a year ago
How do I deploy code from a CodeCommit repository to an Elastic Beanstalk environment?
AWS OFFICIALUpdated 8 months ago
How to figure out whether NAT Gateway processing charge is due to internet bound traffic or within AWS?
EXPERT
Hrushi_G
published a year ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published 9 months ago