More than 1 subnet per AZ for AWS Interface Endpoint?

About

Asked 22/4, 2020 at 22:48 Answered 22/4, 2020 at 23:21

Solved amazon-web-services amazon-ec2 subnet

Can I supply more than 1 subnet per AZ to create an AWS Interface Endpoint?

When I tried, I got this error:

Error creating VPC Endpoint: DuplicateSubnetsInSameZone: Found another VPC endpoint subnet in the availability zone of subnet-xxx. VPC endpoint subnets should be in different availability zones supported by the VPC endpoint service.

My VPC is set up such that there are multiple subnets per AZ. Does this mean that instances set up in a subnet that doesn't have the VPC endpoint network interface will not be able to access to AWS service?

Lavernelaverock answered 22/4, 2020 at 22:48 Comment(3)

One interface endpoint per VPC is enough. All subnets will be able to use it. But for high availability you can have one interface endpoint per AZ if you want. – Lampyrid 22/4, 2020 at 23:17

So I should just create it in any one of the subnets? – Lavernelaverock 22/4, 2020 at 23:18

Yes, though probably better to create in subnets where you have resources which use the endpoint. – Lampyrid 22/4, 2020 at 23:22

Docs write:

For each interface endpoint, you can choose only one subnet per Availability Zone.

This does not mean that only this one subnet can use the interface. All subnets in your VPC will be able to access the interface. For high availability you can have the interface endpoints in each of AZs (one per AZ):

You can specify more than one subnet in different Availability Zones (as supported by the service) to help ensure that your interface endpoint is resilient to Availability Zone failures.

So at minimum one interfaces endpoint per VPC is enough. Docs also write this as an example for Kinesis interface endpoint:

Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using an endpoint-specific DNS hostname.

Lampyrid answered 22/4, 2020 at 23:21 Comment(6)

Do you have a reference to where it says that "all subnets in the VPC will be able to access the interface"? According to aws.amazon.com/premiumsupport/knowledge-center/…, it seems to suggest that the interface needs to be in the same subnet as my instance. – Lavernelaverock 22/4, 2020 at 23:23

Interface endpoints work at VPC DNS level The illustration here shows two subnets accessing one interface endpoint for Kinesis. Don't have better reference for now. – Lampyrid 22/4, 2020 at 23:29

@TriNguyen the official document you cited is essentially wrong, when it says "For Subnets, choose the Subnet ID for your instance" and "Be sure to create the endpoint in all subnets in the VPC." It could be any subnet in the AZ (not necessarily the same one, but choosing the same one would of course work) and you need one endpoint for each AZ, not one for each subnet. – Columella 23/4, 2020 at 16:18

@Michael-sqlbot what you are saying is different from what Marcin is saying. I don't need one per AZ, it's one per VPC (other than high availability, which is not under consideration for my question) – Lavernelaverock 23/4, 2020 at 16:21

You don't strictly need one per AZ, but it's best practice to do so since an outage impacting the AZ with the endpoint would prevent systems in other AZs from accessing the service. – Columella 23/4, 2020 at 16:54

It seems AWS has included an answer in this document repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints If you have more than one subnet in the same Availability Zone, you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface. – Comfort 31/10, 2023 at 21:31

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags