SalesApp EC2 to SQS

Verify that SalesApp EC2 can successfully write into the sqsqueue via the Interface VPC Endpoint

  1. Refer to the collected output values from your CloudFormation stack. Note the value of the “SQSQueueURL” and “RestrictedS3Bucket” output. Also note the AWS Region where your lab is running (e.g. us-east-1). You will substitute these values into the commands below.

Ensure that your session is connected to the Sales App EC2 instance. You will execute step 2 from the Sales App EC2 instance bash prompt. Execute the following to connect to the SalesApp EC2 instance as needed:

ssh ec2-user@salesapp -i vpce.pem

  1. Execute the commands provided below AFTER completing the following. Make note of the results:
  2. replacing with the value of the Cloudformation output SQSQueueURL collected in step 1
  3. replacing with the value of the Cloudformation output RestrictedS3Bucket collected in step 1
  4. replacing with the value of the AWS region where you are executing the lab

    nslookup sqs.<region>.amazonaws.com
    aws sts get-caller-identity
    aws sqs send-message --queue-url <sqsqueueurlvalue> --endpoint-url https://sqs.<region>.amazonaws.com --message-body "{datafilelocation:s3://<restrictedbucket>/test.txt}" --region <region>
    

Expected behavior

The SalesApp EC2 can successfully write into the sqsqueue via the Interface VPC Endpoint

Output from step 2 should look like the following:

verifyfigure6

Why does this work ?

A. The AWS CLI signs your API request using credentials associated with the identity returned by the aws sts get-caller-identity - the salesapp role (note: this identity has permissions to execute “sqs:SendMessage” and “sqs:ReceiveMessage” API calls via IAM). The call is initiated from the SalesApp EC2instance. There is an inbound rule on the Interface Endpoint security group that allows all TCP inbound access from the security group used by the SalesApp EC2 instance. Network connectivity to the Interface Endpoint is successful.

B. The Interface Endpoint policy allows “sqs:SendMessage”, “sqs:ReceiveMessage” and “sqs:DeleteMessage” API calls to be made by any principal within the AWS account to the vpce-us-east-1-sqs-queue. The “sqs:SendMessage” API call to the vpce-us-east-1-sqs-queue is permitted by the endpoint policy.

C. The SQS resource policy for the vpce-us-east-1-sqs-queue allows “sqs:SendMessage”, “sqs:ReceiveMessage” and “sqs:DeleteMessage” API calls under the condition that they originaite from the source VPC Endpoint. The condition is met and the request is fulfilled.

figure30

  1. Read the message back to verify it is in the queue. A ReceiptHandle value is output. Copy this value in to your buffer. Replace the placeholder in the sample command below with the value of the region where you are executing the lab.

    aws sqs receive-message --queue-url <sqsqueueurlvalue> --endpoint-url https://sqs.<region>.amazonaws.com --region <region>
    

Expected behavior

The SalesApp EC2 can successfully read from the Interface VPC Endpoint

Output from step 3 should look like the following:

verifyfigure7

Recall that SalesApp EC2 role has IAM privileges including “sqs:ListQueues”. We will now validate that the Interface Endpoint Policy (which has a policy that only allows the following API calls: “sqs:SendMessage”,“sqs:ReceiveMessage”,“sqs:DeleteMessage”) restricts the ability to perform an “sqs:ListQueues” API call.

  1. Attempt to list sqs queues. Replace the placeholder in the sample command below with the value of the region where you are executing the lab.

    aws sqs list-queues --region <region> --endpoint-url https://sqs.<region>.amazonaws.com
    

Expected behavior

The SalesApp EC2 cannot successfully list queues via the Interface VPC Endpoint

Output from step 4 should look like the following:

verifyfigure8

Type exit in order to end your SSH session on the SalesApp EC2 instance and return to the bash/shell prompt on the Cloud9 instance.