DNS policy for VPC endpoint

amazon-web-services amazon-route53 amazon-vpc

I have VPC with three subnets in different availability zones, and an interface VPC endpoint in each. The VPC endpoint has 4 DNS hostnames by default:

  • A regional DNS hostname, e.g. vpce-x.ec2.us-east-1.vpce.amazonaws.com.
  • Three endpoint-specific zonal DNS hostnames, e.g. vpce-x-us-east-1a.ec2.us-east-1.vpce.amazonaws.com.

As I understand the regional DNS hostname will to an arbitrary endpoint. Is there a way to configure a single DNS hostname that will always resolve to the endpoint within the same subnet, to reduce inter-AZ traffic? I'm not sure whether a latency routing policy is applicable for this use case or not, or whether there is another solution. Or will the regional DNS hostname already do something like this?

The use case here is an application that sends a lot of traffic to an external service via VPC instance endpoints - to the point that the data transfer incurs significant costs. Avoiding inter-AZ traffic for the VPC endpoint would reduce one portion of the data transfer costs.


If you use the zonal DNS name, you're talking to that zone. From the docs:

Choose a subnet in your VPC to use the interface endpoint. We create an endpoint network interface in the subnet. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the interface endpoint is deleted. You can specify more than one subnet in different Availability Zones (as supported by the service) to help ensure that your interface endpoint is resilient to Availability Zone failures. In that case, we create an endpoint network interface in each subnet that you specify.

So if you have an instance running in e.g. us-east-1a, tell it to use the east-1a endpoint and all comms will be within the AZ. You should be able to vary the DNS name by using environment variables in your code, mappings in your CloudFormation, or Parameter Store lookups. Bear in mind this won't be resilient to failure.

Unless you're doing HPC things that require extremely low latency, or transferring massive amounts of data across zones, I'd just use the regional (e.g. us-east-1) name. My expectation would be it will use something sensible.

You might be able to verify by doing some host REGIONALDNS and checking what IP it gives you back, and comparing with the zonal result.

Related

Does Postfix add the DKIM header before or after a message is queued?
Prevent Apache2 from executing CGI in Static Directory
How to blacklist private dns resolution inside docker?
GCP to AWS Hosted Zone migration
How to properly and completely remove a Windows domain controller?
Prevent users from uploading files when they are on external networks
Hints, not walkthrough, for Braid? [closed]
What Science can I perform on and near Kerbin?
How do I get an animal out of a boat?
What's the health formula in Fallout 4?
If I scrap a locked safe, does its content go to the workshop?
Is there any reason to carry a dead teammate?