Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ec2] (design): Private DNS support for VPC endpoint services #10580

Closed
flemjame-at-amazon opened this issue Sep 28, 2020 · 6 comments
Closed

[ec2] (design): Private DNS support for VPC endpoint services #10580

flemjame-at-amazon opened this issue Sep 28, 2020 · 6 comments
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud guidance Question that needs advice or information. in-progress This issue is being actively worked on.

Comments

@flemjame-at-amazon
Copy link
Contributor

https://aws.amazon.com/premiumsupport/knowledge-center/vpc-private-dns-name-endpoint-service/
https://docs.aws.amazon.com/vpc/latest/userguide/verify-domains.html

❓ General Issue

AWS added the ability to specify a custom DNS name for an endpoint service earlier this year. It makes it so your clients don't have to create aliases for an InterfaceVpcEndpoint when they connect to your service. This reduces undifferentiated lifting done by clients. I'd like to add support for this to CDK.

The Question

The steps for setting it up involve creating Route53 records in a public hosted zone. I had intended it to be used like so:

new VpcEndpointService(this, 'EndpointService', {
  vpcEndpointServiceLoadBalancers: [networkLoadBalancer1, networkLoadBalancer2],
  acceptanceRequired: true,
  whitelistedPrincipals: [new ArnPrincipal('arn:aws:iam::123456789012:root')],
  privateDns: {
    privateDnsName: "my-service.mydomain.com",
    hostedZone: myHostedZone
  }
});

However this isn't possible -- the route53 module depends on the ec2 module, so I cannot add this feature to the VpcEndpointService construct without creating a circular dependency.

How can I get around this dependency? Would you recommend a different approach?

Environment

  • CDK CLI Version: 1.64.1
  • Module Version: 1.64.1
  • Node.js Version: all
  • OS: all
  • Language (Version): all
@flemjame-at-amazon flemjame-at-amazon added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Sep 28, 2020
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Sep 28, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Oct 2, 2020
edited
Loading

route53 depends on ec2 for the IVpc type.

The only thing I can really think of to work around this is to use Inversion of Control, so that we can implement it in route53:

// aws-ec2 module
interface VpcEndpointProps {
  privateDns: IPrivateDnsProvider;
}

// aws-route53 module
class PrivateDns implements ec2.IPrivateDnsProvider {
  public bind(...) {
  }
}

In fact, I think that's nicer as it looks like what you're supposed to do is create a route53 record to refer to the VPC endpoint anyway.

Or, even simpler is just to keep everything in route53:

// aws-route53
new VpcEndpointDomainName(this, 'Alias', {
  hostedZone: hostedZone,
  domainName: 'my-domain.com',
  endpoint: new VpcEndpointService(...),
});

@rix0rrr rix0rrr added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 6, 2020
@flemjame-at-amazon
Copy link
Contributor Author

@rix0rrr do you think this would belong in the route53 module, or route53-patterns? Or something else?

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 7, 2020
@flemjame-at-amazon flemjame-at-amazon mentioned this issue Oct 8, 2020
Merged
@SomayaB SomayaB added in-progress This issue is being actively worked on. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 12, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Oct 13, 2020

Feels like something that should be in route53.

@rix0rrr rix0rrr added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 19, 2020
@github-actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Oct 21, 2020
@flemjame-at-amazon
Copy link
Contributor Author

Will move to route53

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Oct 22, 2020
@rix0rrr rix0rrr closed this as completed Dec 8, 2020
@github-actions
Copy link

github-actions bot commented Dec 8, 2020

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit that referenced this issue Dec 17, 2020
@flemjame-at-amazon
feat(route53): Vpc endpoint service private dns (#10780)
8f6f9a8 
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-private-dns-name-endpoint-service/
https://docs.aws.amazon.com/vpc/latest/userguide/verify-domains.html

AWS added the ability to specify a custom DNS name for an endpoint service earlier this year. It makes it so your clients don't have to create aliases for an InterfaceVpcEndpoint when they connect to your service. This reduces undifferentiated lifting done by clients. This PR creates a construct that will set up the custom DNS.

```ts
stack = new Stack();
vpc = new Vpc(stack, 'VPC');
nlb = new NetworkLoadBalancer(stack, 'NLB', {
  vpc,
});
vpces = new VpcEndpointService(stack, 'VPCES', {
  vpcEndpointServiceLoadBalancers: [nlb],
});
// You must use a public hosted zone so domain ownership can be verified
zone = new PublicHostedZone(stack, 'PHZ', {
  zoneName: 'aws-cdk.dev',
});
new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
  endpointService: vpces,
  domainName: 'my-stuff.aws-cdk.dev',
  publicZone: zone,
});
```

Original design ticket: #10580

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
flochaz pushed a commit to flochaz/aws-cdk that referenced this issue Jan 5, 2021
@flemjame-at-amazon @flochaz
feat(route53): Vpc endpoint service private dns (aws#10780)
f5493dc 
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-private-dns-name-endpoint-service/
https://docs.aws.amazon.com/vpc/latest/userguide/verify-domains.html

AWS added the ability to specify a custom DNS name for an endpoint service earlier this year. It makes it so your clients don't have to create aliases for an InterfaceVpcEndpoint when they connect to your service. This reduces undifferentiated lifting done by clients. This PR creates a construct that will set up the custom DNS.

```ts
stack = new Stack();
vpc = new Vpc(stack, 'VPC');
nlb = new NetworkLoadBalancer(stack, 'NLB', {
  vpc,
});
vpces = new VpcEndpointService(stack, 'VPCES', {
  vpcEndpointServiceLoadBalancers: [nlb],
});
// You must use a public hosted zone so domain ownership can be verified
zone = new PublicHostedZone(stack, 'PHZ', {
  zoneName: 'aws-cdk.dev',
});
new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
  endpointService: vpces,
  domainName: 'my-stuff.aws-cdk.dev',
  publicZone: zone,
});
```

Original design ticket: aws#10580

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud guidance Question that needs advice or information. in-progress This issue is being actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rix0rrr @SomayaB @flemjame-at-amazon