Friday, December 1, 2023

AWS Tips - Create a Gateway VPC Endpoint to Access DynamoDB

  

Scenario

 

Accessing DynamoDB is made via the Internet by using HTTPS protocol by default, and the data in transit is encrypted with SSL/TLS. A typical scenario that your computing resources communicate with DynamoDB is illustrated on the diagram below. The EC2 instance in the public subnet connects to DynamoDB via the internet gateway, while the one in the private subnet must connect to the NAT gateway first before reaching the internet gateway. 



Since the traffic is exposed to the public internet, it raises security concerns for some users. AWS provides another mechanism enabling the services to communicate privately through a Gateway VPC Endpoint. A gateway endpoint does not use the AWS PrivateLink, which differs from the Interface VPC Endpoint, it routes the traffic to the private endpoint of DynamoDB. In this mechanism, the instances use their private IP addresses, and all the traffic is limited to the Amazon network, as shown in the following diagram. 

The gateway endpoint only works within the Region, so it must reside in the same Region as DynamoDB.




Examples


In this demo, we’ll create a Gateway VPC Endpoint, and test the connection to DynamoDB from the public and private instances.

Navigate to VPC service, select Endpoints on the left pane, you will see the home page of Endpoints.

Click Create endpoint.



Enter TestGWEndpointToDynamoDB in Name textbox.

Select AWS services for Service Category.

Under Services, select com.amazonaws.us-west-2.dynamodb.



For VPC, choose the default VPC in the Region.

For Route tables, choose the route tables associated with the public and private subnets where the EC2 instances reside in.



For Policy, choose Full access.

Click Create endpoint.



The endpoint is created and appears in the list. You can select the endpoint to view its details on this page.



Additionally, let’s look at what has happened to the route tables. As you can see, the traffic to pl-00a54069 is directed to vpce-0915bf8f273400be2, the newly created gateway endpoint.

pl-00a54069 is a prefix standing for DynamoDB in the Region that you can find in the Managed prefix lists. This route rule is automatically added in by AWS, and we cannot modify or delete it.


Route table for the private subnet


Route table for the public subnet


Prefix pl-00a54069


As a reminder, please don’t forget to update the instances’ security groups to allow inbound and outbound access to DynamoDB.



Connecting to DynamoDB


After all the settings are done, let’s test the connectivity.

Log in the public instance, enter the command below for the purpose of fetching the table names from DynamoDB.

aws dynamodb list-tables



Log in the private server, retrieve the list of tables from DynamoDB.



Run the following table creation command on the private server. (A sample from Amazon DynamoDB Developer Guide)

    aws dynamodb create-table \

    --table-name Music \

    --attribute-definitions \

        AttributeName=Artist,AttributeType=S \

        AttributeName=SongTitle,AttributeType=S \

    --key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \

    --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 \

    --table-class STANDARD



On the public instance, fetch the table list again. You’ll see that table Music shows up.



It can also be validated from the Console. Navigate to DynamoDB service and click Tables on the left pane. 



If you newly created the instance and haven’t configured it, you may need to execute the configuration command first. Here is an example for your reference.

$ aws configure

AWS Access Key ID [None]: AKIAQ3G4CFOKF7OHOLGM

AWS Secret Access Key [None]: yszoitV3kC0/HEMgrk2bVoZU2mmiwhDvJMWoqNWL

Default region name [None]: us-west-2

Default output format [None]: json




No comments:

Post a Comment

React - Makeover in React: W3Schools How To

When it comes to building a React app, I get used to searching for a UI library to build the front pages, a straightforward way to achieve f...