Scenario
Accessing DynamoDB is made via the Internet by using HTTPS protocol by default, and the data in transit is encrypted with SSL/TLS. A typical scenario that your computing resources communicate with DynamoDB is illustrated on the diagram below. The EC2 instance in the public subnet connects to DynamoDB via the internet gateway, while the one in the private subnet must connect to the NAT gateway first before reaching the internet gateway.
Since the traffic is exposed to the public internet, it raises security concerns for some users. AWS provides another mechanism enabling the services to communicate privately through a Gateway VPC Endpoint. A gateway endpoint does not use the AWS PrivateLink, which differs from the Interface VPC Endpoint, it routes the traffic to the private endpoint of DynamoDB. In this mechanism, the instances use their private IP addresses, and all the traffic is limited to the Amazon network, as shown in the following diagram.
The gateway endpoint only works within the Region, so it must reside in the same Region as DynamoDB.
Examples
In this demo, we’ll create a Gateway VPC Endpoint, and test the connection to DynamoDB from the public and private instances.
Navigate to VPC service, select Endpoints
on the left pane, you will see the home page of Endpoints.
Click Create endpoint.
Enter TestGWEndpointToDynamoDB in Name
textbox.
Select AWS services for Service
Category.
Under Services, select com.amazonaws.us-west-2.dynamodb.
For VPC, choose the default VPC in
the Region.
For Route tables, choose the route
tables associated with the public and private subnets where the EC2 instances
reside in.
For Policy, choose Full access.
Click Create endpoint.
The endpoint is created and appears in the list. You can select the endpoint to view its details on this page.
pl-00a54069 is a prefix standing for DynamoDB in the Region that you can find in the Managed prefix lists. This route rule is automatically added in by AWS, and we cannot modify or delete it.
Route table for the private subnet
Route table for the public subnet
Prefix pl-00a54069
As a reminder, please don’t forget to update
the instances’ security groups to allow inbound and outbound access to
DynamoDB.
Connecting to DynamoDB
After all the settings are done, let’s test the connectivity.
Log in the public instance, enter the
command below for the purpose of fetching the table names from DynamoDB.
aws dynamodb list-tables
Log in the private server, retrieve the list of tables from DynamoDB.
Run the following table creation command on the private server. (A sample from Amazon DynamoDB Developer Guide)
aws dynamodb create-table \
--table-name Music \
--attribute-definitions \
AttributeName=Artist,AttributeType=S \
AttributeName=SongTitle,AttributeType=S \
--key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \
--provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 \
--table-class STANDARD
On the public instance, fetch the table list again. You’ll see that table Music shows up.
It can also be validated from the Console. Navigate to DynamoDB service and click Tables on the left pane.
If you newly created the instance and haven’t configured it, you may need to execute the configuration command first. Here is an example for your reference.
$ aws configure
AWS Access Key ID [None]: AKIAQ3G4CFOKF7OHOLGM
AWS Secret Access Key [None]: yszoitV3kC0/HEMgrk2bVoZU2mmiwhDvJMWoqNWL
Default region name [None]: us-west-2
Default output format [None]: json
No comments:
Post a Comment