What if my VPC endpoint service does not support the availability zone of the Data Collector?
PrivateLink debugging
Deprecated
As of January 2024, the Monte Carlo Data Collector Deployment Model has been deprecated in favor of the Agent and Object Storage Deployment models. Please see Architecture & Deployment Options for more information.
If you are a SaaS customer (i.e are not hosting the data collector) you will need to work with your Monte Carlo representative to retrieve and/or update any data collector related details.
Some steps also require AWS admin privileges.
When creating the Endpoint Consumer stack you might see an error as follows:
The VPC endpoint service com.amazonaws.vpce.ca-central-1.vpce-svc-123456789 does not support the availability zone of the subnet: subnet-abcd. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameter; Request ID:0987654321; Proxy: null)
This is because unlike via the VPC console, CloudFormation does not automatically perform AZ mapping and AZs can be different between AWS accounts. For instance, the subnet in us-east-1a in one account might be us-east-1b in the other. You can use Availability Zone IDs (AZ IDs) to identify the actual location of your resources and the data collector as AZ IDs are constant across all AWS accounts.
You can also run the describe-vpc-endpoint-services command in the same account and region as the Data Collector to check what availability zones the service you created is enabled for . For instance -
aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.vpce.ca-central-1.vpce-svc-123456789
So to resolve this issue, if possible, please recreate the Service Provider CloudFormation stack with a subnet that has the same AZ ID as the Data Collector. Then try redeploying the Endpoint Consumer CloudFormation stack.
If you are unable to do so (e.g. the VPC of your resource does not support any overlapping availability zones) the following process outlines an example of how you can create an additional private subnet in the data collector's VPC:
Important
This example assumes you have deployed a data collector in it's default mode of creating a dedicated VPC in 10.0.0.0/16. If this not the case (e.g. you are using an existing/custom VPC or another CIDR block) please reach out to your Monte Carlo representative or support instead. We'd be happy to work with you to get you up and running!
Some steps also create and update resources in AWS via the console. If you prefer this can also be done using the AWS CLI or an infrastructure as code tool like CloudFormation. Generally we recommend the latter for managing resources.
- Navigate to the CloudFormation console and deploy the Service Provider CloudFormation stack if you haven't already done so.
- Navigate to the CloudFormation stack created in step #1 and search for the
ServiceEndpoint
under resources. Select the "Physical ID" link. This should open the VPC console in a new tab. - From the VPC console save the Availability Zone name and ID of the VPC endpoint service.
- Navigate to the AWS Resource Access Manager console in the same account and region as the Data Collector.
- From the list of AZ IDs select the availability zone name that matches the ID from step #3. See details here.
- Navigate to the CloudFormation console and select the outputs tab from the Data Collector stack. Save the following values:
- VpcId
- PrivateRouteTable
- Navigate to the VPC console and select "Subnets" and "Create Subnet". Fill in the VPC ID from step #6 and the Availability Zone from step #5. For the IPv4 CIDR block you can use
10.0.4.0/24
and any name you'd like.
- Navigate to the the Route table tab for the subnet you created in step #7 and select "Edit route table association". Update the Route table ID with the value you saved in step #6 and save any changes.
- Navigate to the CloudFormation console and deploy the Endpoint Consumer CloudFormation stack. Importantly, use the Subnet ID of the subnet created in step #7 instead of either stack outputs.
- Onboard normally using the
ServiceEndpointDNS
. If you encounter any reachability issues you can follow this guide to help troubleshoot. Reviewing the load balancer health check can also be helpful.
Updated 6 months ago