3

I have a CodeBuild project that is setup to use a VPC so it can access RDS. I setup a "VPC Endpoint" for com.amazonaws.us-east-1.s3 so CodeBuild can access CodePipeline output artifacts.

This is working fine, but now nothing is output in the "Build logs". This appears to be because it uses CloudWatch to write the logs, and I was getting this error under "FINALIZING" in the "Phase details":

: RequestError: send request failed caused by: Post https://logs.us-east-1.amazonaws.com/: dial tcp 54.239.25.71:443: i/o timeout

CloudWatch endpoints are also supported for VPCs, so I added com.amazonaws.us-east-1.logs, but unfortunately this had no effect on the logs.

I also tried adding com.amazonaws.us-east-1.monitoring and com.amazonaws.us-east-1.events as well, but that was also unsuccessful.

I followed the directions in the AWS docs for "Testing the Connection Between Your VPC and CloudWatch Logs", and strangely this worked perfectly fine from an EC2 instance: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html#test-VPC-endpoint-for-CloudWatchLogs

Is it possible to make the CodeBuild logs functional using VPC endpoints?

twiz
  • 305
  • 2
  • 11

1 Answers1

2

It's very likely the same reason and the same answer as in your previous question. It's something to do with your network setup, routes, security groups, NACLs etc.

Do the test that I suggested in the previous answer: spin up a tiny EC2 instance in the same subnet where you're running your CodeBuild containers and from there test if it can reach the endpoints you need. If the instance can't contact them the CodeBuild container won't be able to either.

Regarding the VPC endpoints - are you sure you've got the routes to the logs, events and monitoring in the correct Route Table that's attached to the subnet where you're running your CodeBuild container? Does the Route Table contain a route to 54.239.25.71 (or a bigger matching CIDR)?

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81