'Creating a VPC Interface Endpoint for SQS in Cloud Formation
I was wondering if it is possible to create a Resource in my CloudFormation file to create a VPC Endpoint for SQS. I was able to do this for SQS and DynamoDB, but I believe it is because they were Gateway endpoints.
For now I have defined my SQS resource as:
SQSEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal: '*'
Action:
- 'sqs:*'
Resource:
- '*'
ServiceName: !Join
- ''
- - com.amazonaws.
- !Ref 'AWS::Region'
- .sqs
SubnetIds:
- !Ref PrivateSubnet
- !Ref PublicSubnet
VpcId: !Ref 'VPC'
VpcEndpointType: Interface
Though, when I try to create the stack I get the error:
It seems like it is possible from reading this blog post from AWS. Though I can't find any examples or documentation. Any ideas?
Solution 1:[1]
So to sum it all up:
SQSEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Join
- ''
- - com.amazonaws.
- !Ref 'AWS::Region'
- .sqs
SubnetIds:
- !Ref PrivateSubnet
VpcId: !Ref 'VPC'
VpcEndpointType: Interface
SecurityGroupIds:
- !Ref PrivateSubnetInstanceSG # has to allow traffic from your VPC
PrivateDnsEnabled: true
Background
I figured it out, for DynamoDB and S3, which use Gateway Endpoints, the PolicyDocument
property has to be defined. For all other services, This doesn't need to be defined. So for SQS first I thought all that is needed is:
SQSEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
ServiceName: !Join
- ''
- - com.amazonaws.
- !Ref 'AWS::Region'
- .sqs
SubnetIds:
- !Ref PrivateSubnet
- !Ref PublicSubnet
VpcId: !Ref 'VPC'
VpcEndpointType: Interface
But that still wasn't working, even though the interface endpoint was setup, I had to:
set the
PrivateDnsEnabled
property totrue
so that you can use the AWS CLI as the AWS CLI uses the public endpoint, and setting thePrivateDnsEnabled
allows the private endpoint to automatically be mapped to the public oneset the
SecurityGroupsIds
to have a security group that allows Inbound traffic from your VPC. If this instance set, the default security group is used and it only allows inbound traffic from sources that have the default security group, meaning thatSQS
won't be able to send traffic back to your instance
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Alex R |