Cloudwatch logs to endpoint on private subnet

1
votes

I found the process of setting up Cloudwatch as per the documention on public subnets very straightforward, when I came to repeat the process using an endpoint in a private subnet I cannot get the process to work. I believe by using nc and traceroute I can see the client attempting to contact the internet facing ip still -

BlockquoteConnectTimeout: HTTPSConnectionPool(host='logs.eu-west-2.amazonaws.com', port=443): Max retries exceeded with url: / (Caused by ConnectTimeoutError(, 'Connection to logs.eu-west-2.amazonaws.com timed out. (connect timeout=60)'))

I have found the documents to be vague on the config, I believe I have added the route correctly on the private subnet to allow for the routing and I have checked and modified my security groups to allow HTTPS traffic out - is there another way I should be checking and troubleshooting this?

1
amazon-web-servicesamazon-cloudwatchlogs
Welcome to StackOverflow? What do you mean by "an endpoint in a private subnet"? What are you attempting to do with CloudWatch (sending custom metrics, perhaps?). Do you have a NAT Instance or a NAT Gateway configured in your VPC? Feel free to Edit your question to add additional details.John Rotenstein

1 Answers

2
votes

There are two scenarios which could be why you are receiving this error.

VPC with Public and Private Subnets (NAT) - You need to configure your private subnet's route table to have a default route to a NAT Gateway or a NAT Instance in a public subnet so that the host logs.eu-west-2.amazonaws.com has a way to be routed to the AWS Cloudwatch Logs infrastructure. See the documentation for more details about this type of setup https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

Private only Subnet - You need to configure a VPC Private Link. See the documentation here https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html and a sample blog post about the topic here https://aws.amazon.com/blogs/aws/new-aws-privatelink-endpoints-kinesis-ec2-systems-manager-and-elb-apis-in-your-vpc/