[ses] Add VPC Endpoint for SES

[followben]

I need to setup a VPC Interface Endpoint for SES as described at https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-set-up-vpc-endpoints.html via the CDK.

Use Case

We configure and deploy our entire infrastructure as code via the javascript CDK. While I can grant our VPC access to services such as Secrets Manager using addInterfaceEndpoint() and InterfaceVpcEndpointAwsService.SECRETS_MANAGER, I can't see a way to connect SES.

Indeed, while the VPC user guide lists SES as an available interface endpoint, the same option is missing in the latest CDK.

Proposed Solution

Add the ability to setup a VPC endpoint for SES.

---

This is a :rocket: Feature Request

[iliapolo]

Hi @followben - You are correct that the SES endpoint is not available as a static member, like many others are.

However, you can still initialize the InterfaceVpcEndpointAwsService on your own and provide the service name. In your case, this would be:

new InterfaceVpcEndpointAwsService('email-smtp');

Im going to mark this as a feature request anyway to add it to our list, but you should be able to workaround this.

Let us know if this resolved your issue?

Thanks!

[followben]

Thanks @iliapolo - unfortunately not.

I attached an 'email-smtp' ENI endpoint to the VPC with a security group:

const vpc = new Vpc(...);
const sesVpcEndpointSecurityGroup = new SecurityGroup(
    this,
    `my-ses-vpc-security-group`,
    {
        description: `My SES VPC endpoint security group`,
        vpc,
    }
);
vpc.addInterfaceEndpoint(`my-ses-access`, {
    service: new InterfaceVpcEndpointAwsService('email-smtp'),
    securityGroups: [sesVpcEndpointSecurityGroup],
});

And granted the lambda access to that security group:

const myLambda = new Function(construct, 'my-function', {
    vpc,
    ...
});
myLambda.connections.allowTo(sesVpcEndpointSecurityGroup, Port.allTcp());

Upon deployment, the vpc, security group and lambda all look to be configured as requested via the console.

I know the function works and can invoke ses.sendRawEmail() successfully when running outside the VPC (using verified addresses etc.).

However it simply hangs/ times out when running under the above configuration. I can't see any relevant logs in Cloud Formation or associated failure metrics in SES.

Do you have any further suggestions as to how I can debug and resolve?

[followben]

Perhaps the problem is that the aws-sdk uses the service endpoint email.eu-west-1.amazonaws.com rather than the SMTP endpoint email-smtp.eu-west-1.amazonaws.com? If I alter my function send the email via SMTPS directly, the configuration appears to work.

[iliapolo]

@followben Could you also paste the code inside the lambda you use? And also the exact the VPC configuration you use, i'd like to try and reproduce the deployment.

[ghost]

I'm having the same problem. I want to send email from a lambda in a VPC. The AWS.SES class uses HTTPS (email.eu-west-1.amazonaws.com). The only email endpoint is that can be added to a VPC is "com.amazonaws.eu-west-1.email-smtp".

[ghost]

Work-around using nodemailer and the SMTP endpoint. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/examples-send-using-smtp.html

[FaresKi]

Any news on this topic, CDK-wise?

[watany-dev]

This has been fixed in the latest version since I solved it

https://github.com/aws/aws-cdk/blob/475dbef2e58ed5cf63cacf7d0c24cea4980b0ce2/packages/%40aws-cdk/aws-ec2/lib/vpc-endpoint.ts#L422

[rantoniuk]

Why is the EMAIL_SMTP used instead of the SES official service name just like with all the other AWS Interface Endpoints? that's confusing..