Cloud9 to SQS Queue

Verify that Cloud9 cannot write into the SQS Queue via the VPC Interface Endpoint. This is due to Security Group restrictions configured in Section 2: Build-Interface Endpoint, Part 2 Interface Endpoint - Security Groups .

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSQueueURL” and “RestrictedS3Bucket” output. Also note the AWS Region where your lab is running (e.g. us-east-1). You will substitute these values into the commands below.

Ensure that your session is connected to the Cloud9 instance. You will execute step 2 from the Cloud9 EC2 instance bash prompt:

  1. Execute the commands provided below AFTER completing the following. Make note of the results:
  2. replacing with the value of the Cloudformation output SQSQueueURL collected in step 1
  3. replacing with the value of the Cloudformation output RestrictedS3Bucket collected in step 1
  4. replacing with the value of the AWS region where you are executing the lab

    nslookup sqs.<region>.amazonaws.com
    aws sts get-caller-identity
    aws sqs send-message --queue-url <sqsqueueurlvalue> --endpoint-url https://sqs.<region>.amazonaws.com --message-body "{datafilelocation:s3://<restrictedbucket>/test.txt}" --region <region>
    

Expected behavior

The aws sqs send-message command cannot use the VPC Interface Endpoint. Network connectivity to SQS is blocked by security groups that restrict access to the security groups associated to the SalesApp and ReportsEngine.

verifyfigure5

Note: Command displayed above over multiple lines for clarity only. Control-C used to terminate command execution rather than waiting for timeout.

Why does this NOT work ?

When executing the nslookup command from within the VPC, you will observe that the public DNS name for the SQS service returns IP addresses that are from the private IP CIDR inside your VPC. Access the following link to observe each ENI (1 per AZ) used by your Interface Endpoint:

https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#NIC:search=InterfaceSecurity;sort=networkInterfaceId

The aws sts get-caller-identity command shows the identity being used to sign API requests submitted using the aws cli. If you are using the event engine platform, this will be a role named “TeamRole”. The TeamRole identity has been assigned administrative permissions and can execute all SQS API calls. If you are executing this lab in your own AWS account. It is assumed that the identity you are using to access the account has administrative privileges and full access to SQS.

The aws sqs send-message cli command is executed using an explicit flag (–endpoint-url) to direct the aws cli to explicitly use the VPC endpoint. The sqs send-message command will not be successful as the security groups will block network access to the Interface endpoint from the Cloud9 EC2 instance running on a public subnet in your VPC. The Cloud9 instance is not a member of the security groups assigned to the salesapp or reportsengine, which have inbound access to the security group used by the VPC Endpoint and network connectivity from Cloud9 to the endpoint fails. Security group configuration of the Cloud9 instance can optionally be verified in the EC2 Dashboard. In US-East-1, the EC2 Dashboard is located at: https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#Instances:sort=instanceId

figure29