Chapter 07

VPCエンドポイント作成

ShigeruOda
ShigeruOda
2022.10.25に更新

FargateをPrivateSubnetで稼働させるため、以下VPCエンドポイントを準備します
ECRに格納されたイメージを取得するためには通常Internet経由となります、しかし今回はFargateはPrivateSubnetというInternetに接続されていないので、Internet経由ではECRにアクセスできません
これを解決するためにVPCエンドポイントというInternetに繋がらないAWSのネットワーク経由でECRにアクセスを行います。

  • com.amazonaws.ap-northeast-1.s3
  • com.amazonaws.ap-northeast-1.ecr.dkr
  • com.amazonaws.ap-northeast-1.ecr.api
  • com.amazonaws.ap-northeast-1.logs

■com.amazonaws.ap-northeast-1.s3

  • S3はGateway型のエンドポイントを利用します

img

cmd

aws ec2 create-vpc-endpoint \
    --vpc-id ${VpcId} \
    --vpc-endpoint-type Gateway \
    --service-name com.amazonaws.ap-northeast-1.s3 \
    --route-table-ids ${RouteTableIdPrivate} \
    --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-06659337f5464d836",
        "VpcEndpointType": "Gateway",
        "VpcId": "vpc-010a940bbd8f747c2",
        "ServiceName": "com.amazonaws.ap-northeast-1.s3",
        "State": "available",
        "PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
        "RouteTableIds": [
            "rtb-077b87e7eb65d1f43"
        ],
        "SubnetIds": [],
        "Groups": [],
        "PrivateDnsEnabled": false,
        "RequesterManaged": false,
        "NetworkInterfaceIds": [],
        "DnsEntries": [],
        "CreationTimestamp": "2022-09-15T12:05:51.000Z",
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ],
        "OwnerId": "123456789012"
    }
}

■com.amazonaws.ap-northeast-1.ecr.dkr

  • ECRはInterface型のエンドポイントを利用します

img

cmd

aws ec2 create-vpc-endpoint \
    --vpc-id ${VpcId} \
    --vpc-endpoint-type Interface \
    --service-name com.amazonaws.ap-northeast-1.ecr.dkr \
    --subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
    --security-group-id ${PrivateSecurityGroupsId} \
    --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-01b89cdff71057ac6",
        "VpcEndpointType": "Interface",
        "VpcId": "vpc-010a940bbd8f747c2",
        "ServiceName": "com.amazonaws.ap-northeast-1.ecr.dkr",
        "State": "pending",
        "RouteTableIds": [],
        "SubnetIds": [
            "subnet-0d99180ac3baeb5fa",
            "subnet-0a66f1c2d5ce3b939"
        ],
        "Groups": [
            {
                "GroupId": "sg-0f59547a1185820b5",
                "GroupName": "PrivateSecurityGroup"
            }
        ],
        "IpAddressType": "ipv4",
        "DnsOptions": {
            "DnsRecordIpType": "ipv4"
        },
        "PrivateDnsEnabled": true,
        "RequesterManaged": false,
        "NetworkInterfaceIds": [
            "eni-05c8a332e7c1cd6f1",
            "eni-0f512a24a322c2df6"
        ],
        "DnsEntries": [
            {
                "DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn-ap-northeast-1c.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-01b89cdff71057ac6-9xjg2vqn-ap-northeast-1a.dkr.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "dkr.ecr.ap-northeast-1.amazonaws.com",
                "HostedZoneId": "ZONEIDPENDING"
            },
            {
                "DnsName": "*.dkr.ecr.ap-northeast-1.amazonaws.com",
                "HostedZoneId": "ZONEIDPENDING"
            }
        ],
        "CreationTimestamp": "2022-09-15T12:06:12.996Z",
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ],
        "OwnerId": "123456789012"
    }
}

■com.amazonaws.ap-northeast-1.ecr.api

  • ECRはInterface型のエンドポイントを利用します

img

cmd

aws ec2 create-vpc-endpoint \
    --vpc-id ${VpcId} \
    --vpc-endpoint-type Interface \
    --service-name com.amazonaws.ap-northeast-1.ecr.api \
    --subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
    --security-group-id ${PrivateSecurityGroupsId} \
    --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-0b393692593886a63",
        "VpcEndpointType": "Interface",
        "VpcId": "vpc-010a940bbd8f747c2",
        "ServiceName": "com.amazonaws.ap-northeast-1.ecr.api",
        "State": "pending",
        "RouteTableIds": [],
        "SubnetIds": [
            "subnet-0d99180ac3baeb5fa",
            "subnet-0a66f1c2d5ce3b939"
        ],
        "Groups": [
            {
                "GroupId": "sg-0f59547a1185820b5",
                "GroupName": "PrivateSecurityGroup"
            }
        ],
        "IpAddressType": "ipv4",
        "DnsOptions": {
            "DnsRecordIpType": "ipv4"
        },
        "PrivateDnsEnabled": true,
        "RequesterManaged": false,
        "NetworkInterfaceIds": [
            "eni-08db2d56fe23f4746",
            "eni-010e2407de481c23e"
        ],
        "DnsEntries": [
            {
                "DnsName": "vpce-0b393692593886a63-w1unh4qj.api.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-0b393692593886a63-w1unh4qj-ap-northeast-1c.api.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-0b393692593886a63-w1unh4qj-ap-northeast-1a.api.ecr.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "api.ecr.ap-northeast-1.amazonaws.com",
                "HostedZoneId": "ZONEIDPENDING"
            }
        ],
        "CreationTimestamp": "2022-09-15T12:06:37.143Z",
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ],
        "OwnerId": "123456789012"
    }
}

■com.amazonaws.ap-northeast-1.logs

  • CloudWatch LogsはInterface型のエンドポイントを利用します

img

cmd

aws ec2 create-vpc-endpoint \
    --vpc-id ${VpcId} \
    --vpc-endpoint-type Interface \
    --service-name com.amazonaws.ap-northeast-1.logs \
    --subnet-ids ${SubnetId1aPrivate} ${SubnetId1cPrivate} \
    --security-group-id ${PrivateSecurityGroupsId} \
    --tag-specifications "ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ContainerHandsOn}]"

result

{
    "VpcEndpoint": {
        "VpcEndpointId": "vpce-0aa40c4643e1f52ea",
        "VpcEndpointType": "Interface",
        "VpcId": "vpc-010a940bbd8f747c2",
        "ServiceName": "com.amazonaws.ap-northeast-1.logs",
        "State": "pending",
        "RouteTableIds": [],
        "SubnetIds": [
            "subnet-0d99180ac3baeb5fa",
            "subnet-0a66f1c2d5ce3b939"
        ],
        "Groups": [
            {
                "GroupId": "sg-0f59547a1185820b5",
                "GroupName": "PrivateSecurityGroup"
            }
        ],
        "IpAddressType": "ipv4",
        "DnsOptions": {
            "DnsRecordIpType": "ipv4"
        },
        "PrivateDnsEnabled": true,
        "RequesterManaged": false,
        "NetworkInterfaceIds": [
            "eni-0b0fb7fc59f22f128",
            "eni-06d10382813d38317"
        ],
        "DnsEntries": [
            {
                "DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee.logs.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee-ap-northeast-1c.logs.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "vpce-0aa40c4643e1f52ea-6rcso5ee-ap-northeast-1a.logs.ap-northeast-1.vpce.amazonaws.com",
                "HostedZoneId": "Z2E726K9Y6RL4W"
            },
            {
                "DnsName": "logs.ap-northeast-1.amazonaws.com",
                "HostedZoneId": "ZONEIDPENDING"
            }
        ],
        "CreationTimestamp": "2022-09-15T12:07:05.639Z",
        "Tags": [
            {
                "Key": "Name",
                "Value": "ContainerHandsOn"
            }
        ],
        "OwnerId": "123456789012"
    }
}