1

Currently there are different VPCs and subnets for Elasticsearch (which we host on EC2) and Atlantis (ECS). I want to send requests from Atlantis to Elastic on EC2.

Goal: send http requests from Atlantis to ElasticSearch on EC2 using Privatelink so that we dont have to peer the Atlantis and Elastic VPCs.

I see in the docs that Privatelink (AWS VPC Endpoint - Interface) can be used to expose an AWS service API but thats not what I want to do.

When I created the below VPC endpoint, I am able to get responses from ping ec2.us-east-2.api.aws (maybe not related at all) but not from the other DNS names in the VPC Endpoint and not from elastic. Interestingly, the VPC Endpoint will resolve to an IP that looks to be in the VPC of elastic.

variable "atlantis_vpc_id"{
  type = string
  default = "vpc-vpc-id-here"
}

variable "elasticsearch_vpc_id"{
  type = string
  default = "vpc-vpc-id-here"
}

variable "atlantis_subnet_id"{
  type = string
  default = "subnet-subnet-id-here"
}

variable "elastic_dev_subnet_id"{
  type = string
  default = "subnet-subnet-id-here"
}

variable "elastic_dev_private_ip"{
  type = string
  default = "elastic-private-ip"
}

data "aws_subnet" "privatelink-atlantis-subnet" {
  id       = var.atlantis_subnet_id
}

data "aws_subnet" "privatelink-elastic-dev-subnet" {
  id       = var.elastic_dev_subnet_id
}

resource "aws_security_group" "privatelink-elastic-vpc-ep-sg" {
  name        = "privatelink-elastic-sg"
  description = "Security group for Elasticsearch VPC endpoint"

  vpc_id = var.elasticsearch_vpc_id

  ingress {
    from_port   = 9200
    to_port     = 9200
    protocol    = "tcp"
    cidr_blocks = [data.aws_subnet.privatelink-atlantis-subnet.cidr_block]
  }

#  not sure if need egress to 0.0.0.0
  egress {
    from_port   = 9200
    to_port     = 9200
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_vpc_endpoint" "privatelink_elasticsearch_endpoint" {
  vpc_id       = var.elasticsearch_vpc_id
  service_name = "com.amazonaws.us-east-2.ec2"

  vpc_endpoint_type    = "Interface"
  security_group_ids   = [aws_security_group.privatelink-elastic-vpc-ep-sg.id, "sg-050aa2ec7f87e742d"]
  private_dns_enabled  = true
  subnet_ids           = [var.elastic_dev_subnet_id]
}

I am not even sure if AWS Privatelink can be used in this use-case. I see docs for using Privatelink to expose an endpoint that goes to an AWS service but not a custom service.

I am expecting a response from elastic when I send a http request. What currently happens is I get a timeout (no response). I think that I am missing some configuration to actually direct the request from the exit of the VPC endpoint to the elastic ec2 instance.

gvasquez
  • 1,919
  • 5
  • 27
  • 41
goat potato
  • 11
  • 1

0 Answers0