为 DynamoDB 创建 AWS VPC 网关终端会中断 ECS 任务

huangapple go评论88阅读模式
英文:

Creating AWS VPC Gateway Endpoint for DynamoDB Breaks ECS Task

问题

当我创建一个DynamoDB VPC网关终端时,它会导致连接到DynamoDB的ECS任务失败。ECS任务/服务/集群位于与网关终端相同的VPC和相同的区域中,位于私有子网中,其安全组允许对DynamoDB进行出站访问。该VPC启用了DNS解析和DNS主机名。

该任务正在运行用于连接到DynamoDB表的C++ aws-sdk,并在尝试使用网关终端时返回以下错误:

ERROR: Failed to get item: Invalid DNS Label found in URI host

一旦我移除了这个终端,任务就停止失败。

我尝试创建一个用于DynamoDB的VPC网关终端,以减轻我们NAT网关上的一些流量,并且我期望ECS任务仍然能够通过网关终端连接到DynamoDB。

英文:

When I create a DynamoDB VPC Gateway Endpoint it breaks an ECS task that connects to DynamoDB. The ECS task/service/cluster is in the same VPC in the same region as the gateway endpoint on a private subnet and its security group allows outbound access to DynamoDB. The VPC has DNS resolution and DNS hostnames Enabled.

The task is running aws-sdk for C++ to connect to a DynamoDB table and returns the following error when we try to use the gateway endpoint:

ERROR: Failed to get item: Invalid DNS Label found in URI host

As soon as I remove the endpoint the task stops failing.

I tried creating a VPC Gateway Endpoint for DynamoDB to alleviate some traffic on our NAT gateway and I expected the ECS task to still be able to connect to DynamoDB through the gateway endpoint.

答案1

得分: 0

我建议查看在使用 VPC 端点时的注意事项。通常情况下,它与自定义 DNS 问题相关。

  • 网关端点仅在创建它的区域中可用。确保在与 DynamoDB 表位于相同区域的地方创建网关端点。

  • 如果您使用亚马逊的 DNS 服务器,您必须为您的 VPC 启用 DNS 主机名和 DNS 解析。如果您使用自己的 DNS 服务器,请确保 DynamoDB 的请求正确解析到由 AWS 维护的 IP 地址。

  • 用于通过网关端点访问 DynamoDB 的实例的安全组的出站规则必须允许流量流向 DynamoDB。您可以在出站规则中将 DynamoDB 的前缀列表 ID 用作目的地。

  • DynamoDB 不支持基于资源的策略(例如表上的策略)。对 DynamoDB 的访问受端点策略以及个别用户和角色的策略控制。

  • 如果您使用 AWS CloudTrail 记录 DynamoDB 操作,日志文件将包含服务使用者 VPC 中 EC2 实例的私有 IP 地址以及通过端点执行的任何请求的网关端点的 ID。

  • 网关端点仅支持 IPv4 流量。

  • 受影响子网中的实例的源 IPv4 地址会从公共 IPv4 地址更改为来自您的 VPC 的私有 IPv4 地址。端点切换网络路由并断开开放的 TCP 连接。不会恢复以前使用公共 IPv4 地址的连接。我们建议在创建或修改网关端点时不要运行任何关键任务。或者,测试以确保如果连接中断,您的软件能够自动重新连接到 DynamoDB。

  • 端点连接不能延伸到 VPC 之外。您的 VPC 之外的 VPN 连接、VPC 对等连接、中转网关或 AWS Direct Connect 连接的资源不能使用网关端点与 DynamoDB 进行通信。

  • 您的帐户在每个区域默认配额为 20 个网关端点,这是可调整的。每个 VPC 还有 255 个网关端点的限制。

英文:

I would suggest going over the considerations when using a vpc endpoint. Usually it's linked to custom DNS issue.

  • A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your DynamoDB tables.

  • If you're using the Amazon DNS servers, you must enable both DNS hostnames and DNS resolution for your VPC. If you're using your own DNS server, ensure that requests to DynamoDB resolve correctly to the IP addresses maintained by AWS.

  • The outbound rules for the security group for instances that access DynamoDB through the gateway endpoint must allow traffic to DynamoDB. You can use the prefix list ID for DynamoDB as the destination in the outbound rule.

  • DynamoDB does not support resource-based policies (for example, on tables). Access to DynamoDB is controlled through the endpoint policy and policies for individual users and roles.

  • If you use AWS CloudTrail to log DynamoDB operations, the log files contain the private IP addresses of the EC2 instances in the service consumer VPC and the ID of the gateway endpoint for any requests performed through the endpoint.

  • Gateway endpoints support only IPv4 traffic.

  • The source IPv4 addresses from instances in your affected subnets change from public IPv4 addresses to private IPv4 addresses from your VPC. An endpoint switches network routes and disconnects open TCP connections. The previous connections that used public IPv4 addresses are not resumed. We recommend that you do not have any critical tasks running when you create or modify a gateway endpoint. Alternatively, test to ensure that your software can automatically reconnect to DynamoDB if a connection breaks.

  • Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with DynamoDB.

  • Your account has a default quota of 20 gateway endpoints per Region, which is adjustable. There is also a limit of 255 gateway endpoints per VPC.

答案2

得分: 0

事实证明,容器缺少其角色所需的权限:

错误消息:用户:
arn:aws:sts::XXX:assumed-role/dataSaverContainerRole/XXX 未被授权执行 dynamodb:DescribeEndpoints 对资源 * 的操作,
因为没有身份验证策略允许 dynamodb:DescribeEndpoints 操作。

一旦我添加了权限,它就开始工作。

英文:

It turned out that the container was missing a necessary permission in its role:

> Error message: User:
> arn:aws:sts::XXX:assumed-role/dataSaverContainerRole/XXX is not
> authorized to perform: dynamodb:DescribeEndpoints on resource: *
> because no identity-based policy allows the dynamodb:DescribeEndpoints
> action

Once I added the permission it started working.

huangapple
  • 本文由 发表于 2023年6月22日 02:37:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/76526224.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定