AWS Elasticsearch vpc endpoint and private vpc domain

Question

I am trying to figure out how the VPC endpoint's works with a private internal domain in a private hosted zone created with the VPC itself.

For instance:

I have a VPC ( vpc_1 ) and I have an Elasticsearch (es) cluster running inside this VPC.

I have configured a route53 private hosted zone, with vpc_1.

I am not able to have an alias A record for an internal domain like es.mydomain.local that would resolve Elasticsearch internally within services.

But, I am able to add a CNAME, that points to the vpc endpoint. The problem with this approach is, the VPC endpoint has its own SSL certificate and I am unable to use new domain. https://es.mydomain.local to connect to my ES cluster.

I can mark my requests as insecure and do the call's ie. curl https://es.mydomain.local --insecure but this is not sustainable for production workloads.

In all honesty, I don't think I need HTTPS for internal load anyways since the cluster is not public by design. But, this is something I don't have control over because the vpc endpoints are https, by default.

AWS suggests that I put a load balancer in front of the ES cluster and then use an alias. This works but is a costly approach compared to having this at route53.

Does anyone have any experience with a similar situation?

Answer 1

AWS recently added the feature you're looking for:

NOTE: the note in the blue area of the screenshot - you still need to create the CNAME record. Also it takes some time (minutes) to fully propagate.

---

Additionally if you're using terraform you'd probably want to upvote this issue which should add the support for defining custom endpoints: https://github.com/hashicorp/terraform-provider-aws/issues/16059