18

Can I supply more than 1 subnet per AZ to create an AWS Interface Endpoint?

When I tried, I got this error:

Error creating VPC Endpoint: DuplicateSubnetsInSameZone: Found another VPC endpoint subnet in the availability zone of subnet-xxx. VPC endpoint subnets should be in different availability zones supported by the VPC endpoint service.

My VPC is set up such that there are multiple subnets per AZ. Does this mean that instances set up in a subnet that doesn't have the VPC endpoint network interface will not be able to access to AWS service?

Tri Nguyen
  • 9,950
  • 8
  • 40
  • 72
  • One interface endpoint per VPC is enough. All subnets will be able to use it. But for high availability you can have one interface endpoint per AZ if you want. – Marcin Apr 22 '20 at 23:17
  • So I should just create it in any one of the subnets? – Tri Nguyen Apr 22 '20 at 23:18
  • Yes, though probably better to create in subnets where you have resources which use the endpoint. – Marcin Apr 22 '20 at 23:22

1 Answers1

16

Docs write:

For each interface endpoint, you can choose only one subnet per Availability Zone.

This does not mean that only this one subnet can use the interface. All subnets in your VPC will be able to access the interface. For high availability you can have the interface endpoints in each of AZs (one per AZ):

You can specify more than one subnet in different Availability Zones (as supported by the service) to help ensure that your interface endpoint is resilient to Availability Zone failures.

So at minimum one interfaces endpoint per VPC is enough. Docs also write this as an example for Kinesis interface endpoint:

Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using an endpoint-specific DNS hostname.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Do you have a reference to where it says that "all subnets in the VPC will be able to access the interface"? According to https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/, it seems to suggest that the interface needs to be in the same subnet as my instance. – Tri Nguyen Apr 22 '20 at 23:23
  • 1
    Interface endpoints work at VPC [DNS level](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) The illustration [here](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) shows two subnets accessing one interface endpoint for Kinesis. Don't have better reference for now. – Marcin Apr 22 '20 at 23:29
  • @TriNguyen the official document you cited is essentially wrong, when it says *"For Subnets, choose the Subnet ID for your instance"* and *"Be sure to create the endpoint in all subnets in the VPC."* It could be any subnet in the AZ (not necessarily the same one, but choosing the same one would of course work) and you need one endpoint for each AZ, not one for each subnet. – Michael - sqlbot Apr 23 '20 at 16:18
  • @Michael-sqlbot what you are saying is different from what Marcin is saying. I don't need one per AZ, it's one per VPC (other than high availability, which is not under consideration for my question) – Tri Nguyen Apr 23 '20 at 16:21
  • You don't strictly ***need*** one per AZ, but it's best practice to do so since an outage impacting the AZ with the endpoint would prevent systems in other AZs from accessing the service. – Michael - sqlbot Apr 23 '20 at 16:54