How to verify that application in EC2 is using VPC endpoint to communicate with Dynamodb?

Question

I have a Java application which is deployed in EC2 and communicate with Dynamodb. I have enable VPC endpoint (Gateway endpoint) for Dynamodb. But I didn't notice any performance improvement with this change. Theoretically I should see less latency via VPC endpoint compared to public access. Also based on the tcpdump, I can see our application is still using public IP of dynamodb to communicate.

Here 52.119.232.38 is dynamodb public IP. How can I verify that our application in EC2 is using VPC endpoint to communicate with Dynamodb ?

• Both EC2 and VPC endpoint enable for same VPC.

Answer 1

You can use AWS cloudtrail to verify this. If you only connect to DynamoDB from the application hosted on AWS network which has the associated VPC Gateway Endpoint, then you should only see private IPs in the Source IP field in the Cloudtrail logs. If you see other public IPs, then it means the DyanmoDB is being accessed over the internet.

• Go to AWS Cloudtrail and filter for EventSource dynamodb.amazonaws.com
• If you don't see any cloudtrail event, ensure you choose the time period when you expect the application has accessed DynamoDB or manually ssh into the EC2 instance and run some cli commands aws dynamodb list-tables and then wait for 10-15 mins for this new event to appear.
• Click on the settings icon to show the Source IP address for the events
• The Source IP address for the event should be from the CIDR range of your VPC (And in this case the private IP of the EC2 instance)
• You can click on the event name and view the raw event which would have a key vpcEndpointId with the value same as the id of the VPC Endpoint

If the source ip is not a private IP of the EC2 instance, ensure the applicable route tables are updated with the gateway endpoint entry by following the To add or remove route tables used by a gateway endpoint section of the link here

Answer 2

You can simply do a nslookup for the endpoint for dynamodb and it should return private IP address, from an instance inside the vpc.

Answer 3

dynamodb and s3 uses gateway endpoint.Since it is gateway endpoint nslookup always gives the ip address from prefix list CIDR range which is in your route table.

since AWS knows the IP addresses of S3, they say just add this entry to your route table and any traffic destined to their CIDR blocks associated with S3/dynamo will get routed to the VPC Endpoint. There is no updates to DNS like Interface end point. Whenever your SDK calls the S3 API, it will do lookup for s3.us-east-1.amazonaws.com and it will always get an IP address response, which are associated with the prefix list, which causes the VPC router to route the traffic appropriately.

for s3/dynamo always better to confirm from the cloudtrail events(source ip address)