community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon aws-controllers-k8s

Support for cross-region VPC Endpoints

Open cecilkootz opened this issue 5 months ago • 1 comments

Documentation

Which section(s) is the issue in?

VPCEndpoint for the ec2 controller

Describe the solution you'd like Additional field in the VPC Endpoint spec to allow for the ServiceRegion to be supplied. Currently defaults to region targeted for the VPC attachment. This supports scenarios where the service is hosted in say us-east-1 but the attachment is in us-west-2.

cecilkootz avatar Jun 10 '25 18:06 cecilkootz

Hello @cecilkootz 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

github-actions[bot] avatar Jun 10 '25 18:06 github-actions[bot]

We are also in need of this feature. Requesting some support here.

farhaan-shamsee avatar Aug 25 '25 15:08 farhaan-shamsee

Looks like the ServiceRegion is currently listed under the ignored fields paths. Will need to remove it from that list to include it in the VPC Endpoint CRD.

knottnt avatar Aug 25 '25 20:08 knottnt

Looks like the ServiceRegion is currently listed under the ignored fields paths. Will need to remove it from that list to include it in the VPC Endpoint CRD.

For this we commented it out from ignore fields paths and built the controller again. We still see the same issue, even after passing the service region.

Image

We have tried it manually and it worked from the AWS console.

Our services are in eu-central-1 and we are trying to point it from ap-southeast-1. For it to work, we had to also select the checkbox Enable Cross Region endpoint.

Image

I think this option is also needed to be enabled for the region to work.

farhaan-shamsee avatar Aug 26 '25 12:08 farhaan-shamsee

@farhaan-shamsee Does the VPC Endpoint Service you're trying to connect to have Supported Regions set to include ap-southeast-1? If the VPC Endpoint Services are also managed by ACK it looks like we'll also need to remote SupportedRegions from the ignored field paths as well.

knottnt avatar Aug 26 '25 18:08 knottnt

@farhaan-shamsee Does the VPC Endpoint Service you're trying to connect to have Supported Regions set to include ap-southeast-1? If the VPC Endpoint Services are also managed by ACK it looks like we'll also need to remote SupportedRegions from the ignored field paths as well.

  1. Yes, the supported regions include ap-southeast-1 as I am able to do it from the AWS console/cli.
  2. The VPC endpoint which I am trying to point to is not managed by ACK.

farhaan-shamsee avatar Aug 26 '25 18:08 farhaan-shamsee

Hmm testing adding the serviceRegion field on my end and I'm able to create a new VpcEndpoint connecting from ap-southeast-1 to a VPC Endpoint Service in eu-central-1 with the below manifest.

apiVersion: ec2.services.k8s.aws/v1alpha1
kind: VPCEndpoint
metadata:
  name: cross-region-endpoint
spec:
  serviceName: com.amazonaws.vpce.eu-central-1.not-a-real-servicename
  serviceRegion: eu-central-1
  ipAddressType: ipv4
  vpcEndpointType: Interface
  vpcID: <vpc-id>
  tags:
    - key: Name
      value: cross-region-endpoint

Are you modifying an existing VPC Endpoint? Looking at the ModifyVpcEndpoint operation it doesn't provide a way to change the ServiceRegion. So, for an existing resource the ACK controller won't be able to modify the serviceRegion field after initial creation. Instead you'd need to create a new VPC Endpoint.

knottnt avatar Aug 28 '25 17:08 knottnt

@farhaan-shamsee support for service region on VPC Endpoints has been released in v1.6.0.

knottnt avatar Sep 02 '25 20:09 knottnt