Access NLB in another VPC via VPC Endpoint

Access NLB in another VPC via VPC Endpoint
構築する環境
CloudFormation template files
Explanation of key points of template files
Architecting
1. Create CloudFormation stacks and check the resources in the stacks
2. Operation Check
summary

Access NLB in another VPC via VPC Endpoint

One of the features provided by VPC endpoints is the VPC Endpoint Service (PrivateLink).

You can create your own service powered by AWS PrivateLink, known as an endpoint service. You are the service provider, and the AWS principals that create connections to your service are the service consumers.
Create a service powered by AWS PrivateLink

This time we will use the VPC endpoint service to access the NLB on another VPC.

構築する環境

Diagram of access NLB in another VPC via VPC Endpoint

Create two VPCs.

The VPC on the other hand deploys NLB and EC2 instances.
The instance belongs to the NLB target group.
Apache is installed on the instance to run as a web server.

The other VPC will house an EC2 instance.
The role of this instance is to access the aforementioned NLB as a test.

Create three types of VPC endpoints.

The first is for S3.
It is used to install Apache on instances in the NLB target group.

The second is for SSM.
SSM Session Manager and is used to access test instances.

The third is for NLB.
It is used by the testing instance to access the NLB.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are placed at the following URL

awstut-saa/03/002 at main · awstut-an-r/awstut-saa

Contribute to awstut-an-r/awstut-saa development by creating an account on GitHub.

Explanation of key points of template files

NLB

Resources:
  NLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: !Sub "${Prefix}-NLB"
      Scheme: internal
      Subnets:
        - !Ref PrivateSubnet
      Type: network
      
  NLBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: !Sub "${Prefix}-NLBTargetGroup"
      Protocol: TCP
      Port: !Ref HTTPPort
      VpcId: !Ref VPC
      Targets:
        - Id: !Ref Instance
        
  NLBListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties: 
      DefaultActions: 
        - TargetGroupArn: !Ref NLBTargetGroup
          Type: forward
      LoadBalancerArn: !Ref NLB
      Port: !Ref HTTPPort
      Protocol: TCP
Code language: YAML (yaml)

Create the three resources (NLB body, target group, and listener) that make up the NLB.
Specify an EC2 instance (described below) as the target.
No special configuration is required.

VPC Endpoint Service

Resources:
  VPCEndpointService:
    Type: AWS::EC2::VPCEndpointService
    Properties: 
      AcceptanceRequired: false
      NetworkLoadBalancerArns: 
        - !Ref NLB
Code language: YAML (yaml)

This is a VPC endpoint service to access the NLB from outside the VPC.
There are two key parameters in creating a VPC endpoint service.

The first is the AcceptanceRequired property.
The AWS official explanation of this property is as follows

You can configure your endpoint service to accept connection requests automatically. Otherwise, you must accept or reject them manually. If you do not accept a connection request, the service consumer can’t access your endpoint service.
Accept or reject connection requests

This time, since manual acceptance is not performed, “false” is specified for this property.

The second is the NetworkLoadBalancerArns property.
Specify the aforementioned NLB for this.
This means that this VPC endpoint service is for NLB.

EC2 (NLB side)

Resources:
  Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !Ref ImageId
      InstanceType: !Ref InstanceType
      NetworkInterfaces:
        - DeviceIndex: 0
          SubnetId: !Ref PrivateSubnet
          GroupSet:
            - !Ref InstanceSecurityGroup
      UserData: !Base64 |
        #!/bin/bash -xe
        yum update -y
        yum install -y httpd
        systemctl start httpd
        systemctl enable httpd
        ec2-metadata -i > /var/www/html/index.html
Code language: YAML (yaml)

EC2 instance in the NLB target group.
The initialization process of the instance is performed using user data.
For details on initialization, please refer to the following page.

During the initialization process, Apache is installed and runs as a web server.

VPC endpoint for NLB

Resources:
  NLBEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: false
      SecurityGroupIds:
        - !Ref NLBEndpointSecurityGroup
      ServiceName: !Sub "com.amazonaws.vpce.${AWS::Region}.${VPCEndpointService}"
      SubnetIds:
        - !Ref PrivateSubnet
      VpcEndpointType: Interface
      VpcId: !Ref VPC
Code language: YAML (yaml)

VPC endpoint for NLB.
Used by test EC2 instances to access the NLB.

The key point is the ServiceName property.
As shown below, specify a string that embeds the ID of the aforementioned VPC endpoint service.

com.amazonaws.vpce.[region-id].[vpc-endpoint-service-id]

Check the security group for this endpoint.

Resources:
  NLBEndpointSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: !Sub "${Prefix}-NLBEndpointSecurityGroup"
      GroupDescription: Allow HTTP from InstanceSecurityGroup.
      VpcId: !Ref VPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref HTTPPort
          ToPort: !Ref HTTPPort
          SourceSecurityGroupId: !Ref InstanceSecurityGroup
Code language: YAML (yaml)

The EC2 instance under the NLB is running as a web server and listening on HTTP (80/tcp).
Therefore, the security group for the VPC endpoints also allows HTTP in the same way.

Architecting

Use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stacks and check the resources in the stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following pages.

After reviewing the resources in each stack, information on the main resources created in this case is as follows

NLB: saa-03-002-NLB
VPC endpoint service for NLB: vpce-svc-074f49920d0314071
VPC endpoint for NLB: vpce-00e74a560c595e218
EC2 instance under NLB: i-086f1f474294d9822
EC2 instance for testing: i-08a48ca7d3b86d91d

Check each resource from the AWS Management Console.

Check the NLB.

The NLB has been successfully created.
You can see that one instance is registered in the target group.

Check VPC endpoint service.

The associated load balancer shows that the aforementioned NLB is registered.
The endpoint connection shows that the VPC endpoint described below is registered.

Check VPC endpoints for NLB.

Looking at the service name, a string containing the ID of the aforementioned VPC endpoint service is set.

You will see that the following two DNS names are set

vpce-00e74a560c595e218-9azgnkss.vpce-svc-074f49920d0314071.ap-northeast-1.vpce.amazonaws.com

vpce-00e74a560c595e218-9azgnkss-ap-northeast-1a.vpce-svc-074f49920d0314071.ap-northeast-1.vpce.amazonaws.com

Operation Check

Now that you are ready, access the test instance.
Access is via SSM Session Manager.

% aws ssm start-session --target i-08a48ca7d3b86d91d
…
sh-4.2$
Code language: Bash (bash)

For more information on SSM Session Manager, please refer to the following page.

Access VPC endpoints for NLB.

sh-4.2$ curl http://vpce-00e74a560c595e218-9azgnkss.vpce-svc-074f49920d0314071.ap-northeast-1.vpce.amazonaws.com
instance-id: i-086f1f474294d9822

sh-4.2$ curl http://vpce-00e74a560c595e218-9azgnkss-ap-northeast-1a.vpce-svc-074f49920d0314071.ap-northeast-1.vpce.amazonaws.com
instance-id: i-086f1f474294d9822
Code language: Bash (bash)

Both responses were received.
The responses are from instances in the NLB target group.

This means that traffic destined for the VPC endpoint for NLB was sent for the VPC endpoint service in another VPC, and from there it went through NLB to the instance.

summary

We have identified a way to access NLB on another VPC using the VPC endpoint service.