Cloudwatch VPC interface endpoint times out

1
votes

I am trying to connect my EC2 host setup inside a private subnet to publish logs to cloud watch. I have setup a VPC interface endpoint for com.amazonaws.us-east-1.logs. Both the interface endpoint and EC2 are in private subnet.

My Security groups

  1. Security Group rules for Interface endpoint

    Inbound rule

    Type Protocol Port Range Destination

    All TCP TCP 0 - 65535 sg-OfEC2Server

    Outbound rules - None

  2. Security Group rules for EC2

    Inbound rules - None

    Outbound rule

    Type Protocol Port Range Destination

    All TCP TCP 0 - 65535 sg-OfInterfaceEndpoint

The cloudwatch agent keeps timing out, so i sense that there is an issue with my security group rules but none of the trouble shoot steps helped.

1
amazon-web-servicesamazon-cloudwatchamazon-vpc
Shouldn't the outbound rule be for ` sg-ForEC2Server`?Marcin
updated the question.user2977535
The DNS settings for VPC are enabled?Marcin
DNS resolution and DNS hostnames are enableduser2977535
I assume the instance has role with permissions to call CW, interfaces policies are also permisive?Marcin

1 Answers

0
votes

I recreated your setup and encountered the same problem when using same security groups as yours.

What I found is that the issue is caused by the following outbound rule:

All TCP TCP 0 - 65535 sg-OfInterfaceEndpoint

This allows EC2 to connect only to the interface endpoint, and nowhere else. Changing it to the CIDR of my VPC (10.1.0.0/16) fixed the problem and I could use the interface endpoint.

I think that the root cause of the timeout was that with the original outbound rule, your (and mine) private instance could not connect to DHCP or DNS servers for the VPC. Subsequently, resolution of DNS name of the logs endpoint was not possible.