Connecting to S3 bucket thru S3 VPC Endpoint inside EC2 instance timing out

0
votes

I am receiving "Could not connect to the endpoint URL: "https://s3.amazonaws.com/" from inside EC2 instance running in private subnet

Here is a configuration:

  1. Created one VPC with 2 private subnets (yes.. no public) that is connected to our datacenter using VPN connection. This VPC does not have any IG or NAT.

  2. Created EC2 instance(Amazon Linux AMI) inside one of the private subnet.

  3. Connected to EC2 using Putty- successfully.

  4. Now created an endpoint - S3 that is connected to the VPC (in step1) and policy is as follows (as presented by aws management console):

    {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}
  5. Routing is automatically added to the VPC routing where destination is pl-xxxxxxxx(com.amazonaws.us-east-1.s3) and target is the endpoint created in step4, status Active, Propogated - No
  6. Added 2 outbound rules in Security Group for the VPC: (HTTP:80, HTTP:443) to destination prefix s3 endpoint starting with pl-xxxxxxxx (same as step 5).
  7. Created a bucket in S3 using amazon management console

  8. Edited bucket policy as follows

        {
    "Version": "2012-10-17",
    "Id": "Policy1459706251964",
    "Statement": [
        {
            "Sid": "Stmt1459706246215",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket/*",
                "arn:aws:s3:::mybucket"
            ]
        }
    ]
}

  9. Now entered following command in putty session 

     aws s3 ls --debug --endpoint-url https://s3.amazonaws.com/mybucket

  10. I got "EndpointConnectionError: Could not connect to the endpoint URL in #9

I know I am missing something..Any help will be greatly appreciated..

1
amazon-web-servicesamazon-s3amazon-ec2amazon-vpc
I'm not sure where you got us-east1.s3.amazonaws.com, but that's almost certainly invalid. In the us-east-1 region, the correct endpoints for S3 are s3.amazonaws.com or s3-external-1.amazonaws.com.Michael - sqlbot
@Michael-sqlbot - You are right. In the AWS documentation, for east coast - it is s3.amazon.com. I tried it and it did not work. Then I googled and saw somebody had similar problem and he was referring to {us-east1.s3.amazonaws.com}. Now I re-corrected back and same error.user2939101
Routing is automatically added to the VPC routing ... automatically added? That doesn't sound right, but I'm going from memory -- verify that all of the appropriate routing tables, particularly the one for the subnet of this instance do indeed have that pl-xxxxxxxx entry. Then, I would relax the outbound security group to allow all traffic and see if you have a connection, then, or not. You don't want to have to troubleshoot more than one thing at a time.Michael - sqlbot
@Michael-sqlbot - Followed your instructions:user2939101
I also checked that <pl-xxxxx> is defined in subnet. Then I checked routing against the VPC. It is defined properly and it has 3 routes defined- 1) <VPC CIDR> as Destination, "local" as Target, "Active" as Status and "No" as "Propogated" 2)<pl-xxxxxxx> as Destination, "<vpcendpoint>" as Target, "Active" as Status and "No" as "Propogated" 3) 0.0.0.0/0 as Destination, "<VGW>" as Target, "Active" as Status and "Yes" as Propogated Then I relaxed the outbound rules on Security Groups associated with this VPC and allowed all traffic.user2939101

1 Answers

0
votes

If anybody has similar problem- please also check with your corporate IT about DNS resolution properly set. The workaround is - While I waited for our internal IT to do this work, I used Amazon DNS.