Why can't I resolve service domain names for an interface VPC endpoint?

Last updated: 2022-04-04

I'm using an interface Amazon Virtual Private Cloud (Amazon VPC) endpoint for an AWS service. I want to use the default service domain name (for example, ec2.us-east-1.amazonaws.com) to access the service through the VPC interface endpoint. Why can't I resolve service domain names for an interface VPC endpoint?

Resolution

To resolve service domain names (for example, ec2.us-east-2-amazonaws.com) for an interface VPC endpoint, keep the following in mind:

  • To resolve service domain names to the interface VPC endpoint's private IPs, you must send the DNS queries to the Amazon-provided DNS of the VPC where the interface endpoint is created. The Amazon-provided DNS is the base of the VPC CIDR plus two.
  • On the VPC where you created the interface VPC endpoint, verify that both DNS attributes of the VPC, DNS Hostnames and DNS Resolution, are turned on.
  • When using interface VPC endpoints to access available AWS services, such as Amazon Elastic Compute Cloud (Amazon EC2), you can turn on private DNS names on the endpoint. When you have this parameter turned on, queries for the service domain name resolve to private IP addresses. These private IP addresses are the IP addresses of the elastic network interfaces created in each of the associated subnets for a given interface endpoint.
    With private DNS names turned on, you can run AWS API calls using the service domain name (for example, ec2.us-east-1.amazonaws.com) over AWS PrivateLink.
    For the interface VPC endpoint, verify that private DNS names is turned on. If private DNS names isn't turned on, the service domain name or endpoint domain name resolves to regional public IPs. For steps to turn on private DNS names, see Modify an interface endpoint.
  • You can designate custom domain name servers in the DHCP Option Set for the VPC. When using custom domain name servers, the DNS queries for the service domain names are sent to the custom domain name servers for resolution. The custom domain name servers might be located within the VPC or outside of the VPC.
    Custom domain name servers must forward the service domain name to the Amazon-provided DNS server of the VPC where the interface endpoints are created.
  • If you're trying to access an interface endpoint from outside of the VPC (cross-VPC or on-premises), make sure that you have the DNS architecture in place. The DNS architecture should forward the DNS queries for the service domain name to the Amazon-provided DNS server of the VPC where the interface endpoints are created.
    You can use tools such as nslookup or dig against the service domain name from the source network to confirm the IPs that it's resolving to.
    Or, you can use regional endpoint domain names on your SDK to execute API calls. The regional endpoint domain names of the interface endpoints are resolvable from any network. The following is an example for performing a describe call using the AWS Command Line Interface (AWS CLI):
$aws ec2 describe-instances --endpoint-url https://vpce-aaaabbbbcccc-dddd.vpce-svc-12345678.us-east-1.vpce.amazonaws.com
  • If you created an Amazon Route 53 private hosted zone for the service domain name, make sure that you attach the correct source VPC to the hosted zone. For more information, see How can I troubleshoot DNS resolution issues with my Route 53 private hosted zone?
    Note: You must establish connectivity from the network to the VPC using VPC peering, AWS Transit Gateway, and so on, for routing DNS queries.