DEVELOPER BLOG

HOME > DEVELOPER BLOG > 【Introduction to AWS】Sending Email from a Private Subnet via SES - PrismScaler

【Introduction to AWS】Sending Email from a Private Subnet via SES - PrismScaler

1. Introduction

Hello! We are a writer team from Definer Inc. In this issue, you are wondering how to send mail from a private subnet via SES. Amazon Simple Email Service (SES) is a cloud-based email sending and receiving service provided by Amazon Web Services (AWS). It enables businesses and developers to send transactional, marketing, and notification emails reliably and at scale. SES simplifies the complexities of email infrastructure, ensuring high deliverability and compliance with industry standards. Let's take a look at the actual screens and resources to explain in detail.

2. Purpose/Use Cases

This article will utilize the Amazon SES technology for the purpose of easily implementing email sending. It provides a collection of information and practices that can be helpful when you want to send emails from a private AWS subnet in an IT setting. AWS SES purpose: (1) Reliable Email Delivery (2) Scalable and Cost-effective (3) Easy Integration (4) Deliverability and Compliance (5) Email Content Personalization (6) Easy Email Management (7) Receiving Emails

3. What is Amazon SES?

Amazon SES stands for Simple Email Service and is an email delivery service provided by AWS. It does not require you to build your own mail server and supports many use cases that use email. SES is ready to use as soon as you set it up, but at the start, there are restrictions on sending emails (which is natural considering the malicious use of spam, etc.) You can use the service without restrictions by setting SES to unsubscribe from the sandbox.   To send mail with SES, you must have access to the Internet. If you are on a public subnet, you can send e-mail by accessing the Internet directly from EC2, but what should you do on a private subnet?

4. Sending email from a private subnet using SES

We will now show you how to send emails from a private subnet using SES. Please also refer to "Creating an Amazon SES with Terraform" for more information on creating an SES and sending emails.   To send mail from a private subnet using SES, you will need to do either of the following   ① Create a NAT gateway A NAT gateway is a service that allows a private subnet that does not have a public IP to connect to the Internet. The NAT gateway converts private IP addresses to public IP addresses, and through the NAT gateway, resources in the private subnet can access the Internet. (Of course, the private subnet is never accessed from the Internet.) The following commands can be used to create a NAT Gateway and configure routing to the Route Table.   ② Creating VPC Endpoints A VPC endpoint is a service used when you want to communicate with a specific AWS service from an environment where you cannot go out to the Internet, or when you do not want the communication to go through the Internet due to security policy. VPC endpoints are provided for various services as well as SES. The VPC endpoint for sending emails is "com.amazonaws.ap-northeast-1.email-smtp". As a reminder, the logic for sending emails via SMTP, not the SES API, is required. Below are the commands to create a VPC endpoint for sending emails.   Depending on your requirements and other factors, try using these two different methods to send out emails!
## Assign the necessary addresses to the NAT Gateway
aws ec2 allocate-address --domain vpc

## NAT Gateway Creation
aws ec2 create-nat-gateway
--subnet-id ${subnet ID}  \
--allocation-id ${EIP ID}

## Adding NAT Gateway routes in RouteTable
aws ec2 create-route
--route-table-id ${route table ID}  \
--destination-cidr-block 0.0.0.0/0
--nat-gateway-id ${NAT Gateway ID}  \                
## Commands for creating endpoints for sending mail
aws ec2 create-vpc-endpoint  \
--vpc-endpoint-type Interface  \
--service-name com.amazonaws.ap-northeast-1.email-smtp  \
--vpc-id ${VPC ID}  \
--subnet-id ${subnet ID}  \
--security-group-id ${SecurityGroup ID}                  

5. Restrictions and limitations by AWS SES and how to deal with it

When using Amazon Simple Email Service (SES) in private subnets, there are some restrictions and limitations to be aware of due to the network configuration. Here is guidance on how to deal with these restrictions: (1) Network Connectivity:  - Ensure that your private subnet has internet connectivity via a NAT gateway or NAT instance. This allows your instances in the private subnet to communicate with the SES service endpoints.  - Configure your security groups and network access control lists (ACLs) to allow outbound traffic on the required ports (e.g., port 25 for SMTP) to the SES endpoints.   (2) SMTP Configuration:  - Configure your application or email client to use the SES SMTP endpoint for sending emails. This endpoint depends on the AWS Region you are operating in and follows the format: email-smtp.<region>.amazonaws.com.  - Authenticate your SMTP connection using AWS credentials (access key and secret access key) or SMTP credentials generated in the AWS Management Console. This ensures secure and authorized access to SES for sending emails.   (3) DKIM Signing:  - Implement DomainKeys Identified Mail (DKIM) signing to increase email deliverability and reduce the chances of your emails being marked as spam. DKIM requires modifying DNS records, which may be managed by your DNS provider. Ensure that the necessary DNS changes are made to enable DKIM signing for your sending domain.   (4) Bounce and Complaint Handling:  - SES provides bounce and complaint notifications to help you manage the email delivery process. By default, SES sends these notifications to an Amazon Simple Notification Service (SNS) topic. Ensure that your private subnet has the necessary connectivity to access the SNS service and receive bounce and complaint notifications.   (5) Monitoring and Logging:  - Enable logging for SES activities to track email sending, delivery, bounces, and complaints. SES can publish these logs to Amazon CloudWatch Logs. Ensure that your private subnet has access to CloudWatch Logs for monitoring and troubleshooting purposes.   (6) Testing and Troubleshooting:  - Validate your SES configuration by sending test emails and verifying their delivery status. Monitor the bounce and complaint notifications to identify and resolve any issues related to email delivery.  - Utilize SES API operations or the AWS Management Console to inspect the sending quota, reputation, and other metrics to ensure compliance with SES service limits.

6. Cited/Referenced Articles

7. About the proprietary solution "PrismScaler"

・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation. ・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation. ・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.  

8. Contact us

This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".

9. Regarding Definer

・Definer Inc. provides one-stop solutions from upstream to downstream of IT. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation. ・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.