Amazon Virtual Private Cloud

(1)

Amazon Virtual Private Cloud

AWS PrivateLink

(2)

Amazon Virtual Private Cloud: AWS PrivateLink

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

AWS PrivateLink and VPC endpoints

AWS PrivateLink is a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service. Therefore, you control the speciﬁc API endpoints, sites, and services that are reachable from your VPC.

You can create your own VPC endpoint service, powered by AWS PrivateLink, and enable other AWS customers to access your service.

VPC endpoints concepts

The following are the key concepts for VPC endpoints:

• VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. The following are the diﬀerent types of VPC endpoints. You create the type of VPC endpoint required by the supported service.

• Gateway endpoint (p. 20)

• Interface endpoint (p. 3)

• Gateway Load Balancer endpoint (p. 16)

• Endpoint service — Your own application or service in your VPC. Other AWS principals can create an endpoint from their VPC to your endpoint service.

To use AWS PrivateLink, create a VPC endpoint for a service in your VPC. You create the type of VPC endpoint required by the supported service. This creates an elastic network interface in your subnet with a private IP address that serves as an entry point for traﬃc destined to the service. The following diagram shows the basic architecture to securely connect your VPC to an AWS service that supports AWS PrivateLink.

Work with VPC endpoints

You can create, access, and manage VPC endpoints using any of the following:

(6)

Example endpoint conﬁgurations

• AWS Management Console — Provides a web interface that you can use to access your AWS PrivateLink resources.

• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including AWS PrivateLink. For more information about commands for AWS PrivateLink, see ec2 in the AWS CLI Command Reference.

• AWS CloudFormation - Create templates that describe your AWS resources. You use the templates to provision and manage these resources as a single unit. For more information, see the following AWS PrivateLink resources:

• AWS::EC2::VPCEndpoint

• AWS::EC2::VPCEndpointConnectionNotiﬁcation

• AWS::EC2::VPCEndpointService

• AWS::EC2::VPCEndpointServicePermissions

• AWS::ElasticLoadBalancingV2::LoadBalancer

• AWS SDKs — Provide language-speciﬁc APIs. The SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see AWS SDKs.

• Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC. However, it requires that your application handle low-level details such as generating the hash to sign the request and handling errors. For more information, see AWS PrivateLink actions in the Amazon EC2 API Reference.

Example endpoint conﬁgurations

For information about AWS PrivateLink and VPC peering examples, see Examples: Services using AWS PrivateLink and VPC peering in the Amazon VPC User Guide.

Pricing for endpoints

For information about pricing, see AWS PrivateLink Pricing.

(7)

Interface endpoints

VPC endpoints

A VPC endpoint enables connections between a virtual private cloud (VPC) and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, you control the speciﬁc API endpoints, sites, and services that are reachable from your VPC.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. The following are the diﬀerent types of VPC endpoints. You create the type of VPC endpoint that's required by the supported service.

Interface endpoints

An interface endpoint (p. 3) is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traﬃc destined to a service that is owned by AWS or owned by an AWS customer or partner. For a list of AWS services that integrate with AWS PrivateLink, see Services that support AWS PrivateLink (p. 68).

You are billed for hourly usage and data processing charges. For more information, see Interface endpoint pricing.

Gateway Load Balancer endpoints

A Gateway Load Balancer endpoint (p. 16) is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point to intercept traffic and route it to a network or security service that you've configured using a Gateway Load Balancer. You specify a Gateway Load Balancer endpoint as a target for a route in a route table. Gateway Load Balancer endpoints are supported only for endpoint services that are configured using a Gateway Load Balancer.

You are billed for hourly usage and data processing charges. For more information, see Gateway Load Balancer endpoint pricing.

Gateway endpoints

A gateway endpoint (p. 20) is a gateway that is a target for a route in your route table used for traﬃc destined to either Amazon S3 or DynamoDB.

There is no charge for using gateway endpoints.

Amazon S3 supports both gateway endpoints and interface endpoints. For a comparison of the two options, see Types of VPC endpoints for Amazon S3 in the Amazon S3 User Guide.

Interface VPC endpoints (AWS PrivateLink)

An interface VPC endpoint (interface endpoint) allows you to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and Partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace Partner services. The owner of the service is the service provider, and you, as the principal creating the interface endpoint, are the service consumer.

The following are the general steps for setting up an interface endpoint:

1. Choose the VPC in which to create the interface endpoint, and provide the name of the AWS service, endpoint service, or AWS Marketplace service to which you're connecting.

(8)

Private DNS for interface endpoints

2. Choose a subnet in your VPC to use the interface endpoint. We create an endpoint network interface in the subnet. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the interface endpoint is deleted. You can specify more than one subnet in diﬀerent Availability Zones (as supported by the service) to help ensure that your interface endpoint is resilient to Availability Zone failures. In that case, we create an endpoint network interface in each subnet that you specify.

Note

An endpoint network interface is a requester-managed network interface. You can view it in your account, but you cannot manage it yourself. For more information, see Requester- managed network interfaces.

3. Specify the security groups to associate with the endpoint network interface. The security group rules control the traﬃc to the endpoint network interface from resources in your VPC. If you do not specify a security group, we associate the default security group for the VPC.

4. (Optional, AWS services and AWS Marketplace Partner services only) Enable private DNS (p. 4) for the endpoint so you can make requests to the service using its default DNS hostname.

Important

Private DNS is turned on by default for endpoints created for AWS services and AWS Marketplace Partner services.

Private DNS is turned on in the other subnets which are in the same VPC and Availability Zone or Local Zone.

5. When the service provider and the consumer are in diﬀerent accounts, see the section called “Interface endpoint Availability Zone considerations” (p. 7) for information about how to use Availability

Zone IDs to identify the interface endpoint Availability Zone.

6. After you create the interface endpoint, it's available to use when it's accepted by the service provider.

The service provider must conﬁgure the service to accept requests automatically or manually. AWS services and AWS Marketplace services generally accept all endpoint requests automatically. For more information about the lifecycle of an endpoint, see Interface endpoint lifecycle (p. 7).

Services cannot initiate requests to resources in your VPC through the endpoint. An endpoint only returns responses to traffic that is initiated from resources in your VPC. Before you integrate a service and an endpoint, review the service-specific VPC endpoint documentation for any service-specific configuration and limitations.

Contents

• Private DNS for interface endpoints (p. 4)

• Interface endpoint properties and limitations (p. 6)

• Connection to on-premises data centers (p. 7)

• Interface endpoint lifecycle (p. 7)

• Interface endpoint Availability Zone considerations (p. 7)

• View available AWS service names (p. 8)

• Create an interface endpoint (p. 9)

• View your interface endpoint (p. 12)

• Create and manage a notiﬁcation for an interface endpoint (p. 13)

• Access a service through an interface endpoint (p. 14)

• Modify an interface endpoint (p. 14)

Private DNS for interface endpoints

Important

Private DNS is not supported for Amazon S3 interface endpoints.

(9)

Private DNS for interface endpoints

When you create an interface endpoint, we generate endpoint-specific DNS hostnames that you can use to communicate with the service. For AWS services and AWS Marketplace Partner services, the private DNS option (turned on by default) associates a private hosted zone with your VPC. The hosted zone contains a record set for the default DNS name for the service (for example, ec2.us- east-1.amazonaws.com) that resolves to the private IP addresses of the endpoint network interfaces in your VPC. This allows you to make requests to the service using its default DNS hostname instead of the endpoint-specific DNS hostnames. For example, if your existing applications make requests to an AWS service, they can continue to make requests through the interface endpoint without requiring any configuration changes.

In the example shown in the following diagram, there is an interface endpoint for Amazon Kinesis Data Streams and an endpoint network interface in subnet 2. Private DNS for the interface endpoint is turned oﬀ. The route tables for the subnets have the following routes.

Subnet 1

Destination Target

10.0.0.0/16 Local

0.0.0.0/0 internet-gateway-id

Subnet 2

10.0.0.0/16 Local

Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using an endpoint-speciﬁc DNS hostname. Instances in subnet 1 can communicate with Amazon Kinesis Data Streams over public IP address space in the AWS Region using its default DNS name.

In the next diagram, private DNS for the endpoint is turned on. Instances in either subnet can send requests to Amazon Kinesis Data Streams through the interface endpoint using either the default DNS hostname or the endpoint-speciﬁc DNS hostname.

(10)

Interface endpoint properties and limitations

Important

To use private DNS, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. For more information, see Viewing and updating DNS support for your VPC. IAM users must have permission to work with hosted zones. For more information, see Authentication and Access Control for Route 53.

Interface endpoint properties and limitations

To use interface endpoints, you need to be aware of their properties and current limitations:

• For each interface endpoint, you can choose only one subnet per Availability Zone.

• Services might not be available in all Availability Zones through an interface endpoint. To ﬁnd out which Availability Zones are supported, use the describe-vpc-endpoint-services command or use the Amazon VPC console. For more information, see Create an interface endpoint (p. 9).

• When you create an interface endpoint, the endpoint is created in the Availability Zone that is mapped to your account and that is independent from other accounts. When the service provider and the consumer are in diﬀerent accounts, see the section called “Interface endpoint Availability Zone considerations” (p. 7) for information about how to use Availability Zone IDs to identify the interface endpoint Availability Zone.

• When the service provider and the consumer have diﬀerent accounts and use multiple Availability Zones, and the consumer views the VPC endpoint service information, the response only includes the common Availability Zones. For example, when the service provider account uses us-east-1a and us-east-1c and the consumer uses us-east-1a and us-east-1b, the response includes the VPC endpoint services in the common Availability Zone, us-east-1a.

• By default, each interface endpoint can support a bandwidth of up to 10 Gbps per Availability Zone and automatically scales up to 40 Gbps. If your application needs higher throughput per zone, contact AWS support.

• If the network ACL for your subnet restricts traffic, you might not be able to send traffic through the endpoint network interface. Ensure that you add appropriate rules that allow traffic to and from the CIDR block of the subnet.

• Ensure that the security group that's associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. To ensure that command line tools such as the AWS CLI can make

(11)

Connection to on-premises data centers

requests over HTTPS from resources in the VPC to an AWS service, the security group must allow inbound HTTPS (port 443) traﬃc .

• An interface endpoint supports TCP traﬃc only.

• When you create an endpoint, you can attach an endpoint policy to it that controls access to the service to which you are connecting. For more information, see Policy Best Practices and the section called “Control access to services” (p. 36).

• Review the service-speciﬁc limits for your endpoint service.

• Participants cannot create Amazon Route53 Resolver endpoints in a VPC that they do not own. Only the VPC owner can create VPC-level resources such as inbound endpoints.

• Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a diﬀerent Region.

• Endpoints support IPv4 traﬃc only.

• You cannot transfer an endpoint from one VPC to another, or from one service to another.

• You have a quota on the number of endpoints you can create per VPC. For more information, see AWS PrivateLink quotas (p. 81).

Connection to on-premises data centers

You can use the following types of connections for a connection between an interface endpoint and your on-premises data center:

• AWS Direct Connect

• AWS Site-to-Site VPN

Interface endpoint lifecycle

An interface endpoint goes through various stages starting from when you create it (the endpoint connection request). At each stage, there might be actions that the service consumer and service provider can take.

The following rules apply:

• A service provider can conﬁgure their service to accept interface endpoint requests automatically or manually. AWS services and AWS Marketplace services generally accept all endpoint requests automatically.

• A service provider cannot delete an interface endpoint to their service. Only the service consumer that requested the interface endpoint connection can delete the interface endpoint.

• A service provider can reject the interface endpoint after it has been accepted (either manually or automatically) and is in the available state.

Interface endpoint Availability Zone considerations

When you create an interface endpoint, the endpoint is created in the Availability Zone that is mapped to your account and that is independent from other accounts. When the service provider and the consumer are in diﬀerent accounts, use the Availability Zone ID to uniquely and consistently identify the interface endpoint Availability Zone. For example, use1-az1 is an Availability Zone ID for the us-east-1 Region and maps to the same location in every AWS account. For information about Availability Zone IDs, see AZ IDs for Your Resources in the AWS RAM User Guide or use describe-availability-zones.

(12)

View available AWS service names

Services might not be available in all Availability Zones through an interface endpoint. You can use any of the following operations to ﬁnd out which Availability Zones are supported for a service:

• describe-vpc-endpoint-services (AWS CLI)

• DescribeVpcEndpointServices (API)

• The Amazon VPC console when you create an interface endpoint. For more information, see the section called “Create an interface endpoint” (p. 9).

View available AWS service names

When you use the Amazon VPC console to create an endpoint, you can get a list of available AWS service names.

When you use the AWS CLI to create an endpoint, you can use the describe-vpc-endpoint-services command to view the service names, and then create the endpoint using the create-vpc-endpoint command .

Console

To view available AWS services using the console

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Endpoints, Create Endpoint.

3. In the Service Name section, the available services are listed.

Command line

To view available AWS services using the AWS CLI

• Use the describe-vpc-endpoint-services command to get a list of available services to which you can connect. The ServiceType ﬁeld indicates whether you connect to the service via an interface or gateway endpoint. The ServiceName ﬁeld provides the name of the service. The following example lists the names and owners of all the interface endpoints.

aws ec2 describe-vpc-endpoint-services --filter "Name=service-

type,Values=Interface" --query "ServiceDetails[*].[ServiceName, Owner]" --output table

---

| DescribeVpcEndpointServices | +---+---+

| aws.sagemaker.us-west-2.notebook | amazon |

| aws.sagemaker.us-west-2.studio | amazon |

| com.amazonaws.us-west-2.access-analyzer | amazon |

| com.amazonaws.us-west-2.acm-pca | amazon | ...

To view available AWS services using the AWS Tools for Windows PowerShell

• Get-EC2VpcEndpointService

To view available AWS services using the API

• DescribeVpcEndpointServices

(13)

Create an interface endpoint

To create an interface endpoint, you must specify the VPC in which to create the interface endpoint, and the service to which to establish the connection.

For AWS services, or AWS Marketplace Partner services, you can optionally turn on private DNS (p. 4) for the endpoint so that you can make requests to the service using its default DNS hostname.

Important

Private DNS is turned on by default for endpoints created for AWS services and AWS Marketplace Partner services.

Console

To create an interface endpoint to an AWS service using the console

3. For Service category, ensure that AWS services is selected.

4. For Service Name, choose the service to which to connect. For Type, ensure that it indicates Interface.

5. Complete the following information and then choose Create endpoint.

• For VPC, select a VPC in which to create the endpoint.

• For Subnets, select the subnets (Availability Zones) in which to create the endpoint network interfaces.

Not all Availability Zones may be supported for all AWS services.

• To turn on private DNS for the interface endpoint, for Enable DNS Name, select the check box.

Important

This option is turned on by default. To use the private DNS option, the following attributes of your VPC must be set to true: enableDnsHostnames and enableDnsSupport. For more information, see Viewing and updating DNS support for your VPC.

• For Security group, select the security groups to associate with the endpoint network interfaces.

• (Optional) Add or remove a tag.

[Add a tag] Choose Add tag and do the following:

• For Key, enter the key name.

• For Value, enter the key value.

[Remove a tag] Choose the delete button (“x”) to the right of the tag’s Key and Value.

To create an interface endpoint to an endpoint service, you must have the name of the service to which to connect. The service provider can provide you with the name.

To create an interface endpoint to an endpoint service

3. For Service category, choose Find service by name.

(14)

4. For Service Name, enter the name of the service (for example, com.amazonaws.vpce.us- east-1.vpce-svc-0e123abc123198abc) and choose Verify.

Not all Availability Zones may be supported for the service.

To create an interface endpoint to an AWS Marketplace partner service

1. Go to the PrivateLink page in AWS Marketplace and subscribe to a service from a software as a service (SaaS) provider. Services that support interface endpoints include an option to connect via an endpoint.

4. For Service category, choose Your AWS Marketplace services.

5. Choose the AWS Marketplace service to which you've subscribed.

Not all Availability Zones may be supported for the service.

Command line

To create an interface endpoint using the AWS CLI

1. Use the describe-vpc-endpoint-services command to get a list of available services. In the output that's returned, take note of the name of the service to which to connect. The ServiceType ﬁeld indicates whether you connect to the service via an interface or gateway

(15)

2. To create an interface endpoint, use the create-vpc-endpoint command and specify the VPC ID, type of VPC endpoint (interface), service name, subnets that will use the endpoint, and security groups to associate with the endpoint network interfaces.

The following example creates an interface endpoint to the Elastic Load Balancing service.

aws ec2 create-vpc-endpoint --vpc-id vpc-ec43eb89 --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.elasticloadbalancing --subnet-id subnet- abababab --security-group-id sg-1a2b3c4d

{

"VpcEndpoint": {

"PolicyDocument": "{\n \"Statement\": [\n {\n \"Action\": \"*\", \n \"Effect\": \"Allow\", \n \"Principal\": \"*\", \n \"Resource\":

\"*\"\n }\n ]\n}",

"VpcId": "vpc-ec43eb89", "NetworkInterfaceIds": [ "eni-bf8aa46b"

],

"SubnetIds": [ "subnet-abababab"

],

"PrivateDnsEnabled": true, "State": "pending",

"ServiceName": "com.amazonaws.us-east-1.elasticloadbalancing", "RouteTableIds": [],

"Groups": [ {

"GroupName": "default", "GroupId": "sg-1a2b3c4d"

} ],

"VpcEndpointId": "vpce-088d25a4bbf4a7abc", "VpcEndpointType": "Interface",

"CreationTimestamp": "2017-09-05T20:14:41.240Z", "DnsEntries": [

{

"HostedZoneId": "Z7HUB22UULQXV", "DnsName": "vpce-088d25a4bbf4a7abc-

ks83awe7.elasticloadbalancing.us-east-1.vpce.amazonaws.com"

}, {

"HostedZoneId": "Z7HUB22UULQXV",

"DnsName": "vpce-088d25a4bbf4a7abc-ks83awe7-us- east-1a.elasticloadbalancing.us-east-1.vpce.amazonaws.com"

}, {

"HostedZoneId": "Z1K56Z6FNPJRR",

"DnsName": "elasticloadbalancing.us-east-1.amazonaws.com"

} ] } }

Alternatively, the following example creates an interface endpoint to an endpoint service in another account (the service provider provides you with the name of the endpoint service).

aws ec2 create-vpc-endpoint --vpc-id vpc-ec43eb89 --vpc-endpoint-type Interface --service-name com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc --subnet- id subnet-abababab --security-group-id sg-1a2b3c4d

(16)

View your interface endpoint

In the output that's returned, take note of the privateDnsNames ﬁelds. You can use these DNS names to access the AWS service.

To describe available services and create a VPC endpoint using the AWS Tools for Windows PowerShell

• Get-EC2VpcEndpointService

• New-EC2VpcEndpoint

To describe available services and create a VPC endpoint using the API

• DescribeVpcEndpointServices

• CreateVpcEndpoint

View your interface endpoint

After you've created an interface endpoint, you can view information about it.

Console

To view information about an interface endpoint using the console

2. In the navigation pane, choose Endpoints and select your interface endpoint.

3. To view information about the interface endpoint, choose Details. The DNS Names ﬁeld displays the DNS names to use to access the service.

4. To view the subnets in which the interface endpoint has been created, and the ID of the endpoint network interface in each subnet, choose Subnets.

5. To view the security groups that are associated with the endpoint network interface, choose Security Groups.

Command line

To describe your interface endpoint using the AWS CLI

• You can describe your endpoint using the describe-vpc-endpoints command.

aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-088d25a4bbf4a7abc

To describe your VPC endpoints using the AWS Tools for PowerShell or API

• Get-EC2VpcEndpoint (Tools for Windows PowerShell)

• DescribeVpcEndpoints (Amazon EC2 Query API)

(17)

Create and manage a notiﬁcation for an interface endpoint

You can create a notiﬁcation to receive alerts for speciﬁc events that occur on your interface endpoint.

For example, you can receive an email when the interface endpoint is accepted by the service provider. To create a notification, you must associate an Amazon SNS topic with the notification. You can subscribe to the SNS topic to receive an email notification when an endpoint event occurs.

The Amazon SNS topic that you use for notifications must have a topic policy that allows Amazon's VPC endpoint service to publish notifications on your behalf. Ensure that you include the following statement in your topic policy. For more information, see Identity and Access Management in Amazon SNS in the Amazon Simple Notification Service Developer Guide.

{ "Version": "2012-10-17", "Statement": [

{

"Effect": "Allow", "Principal": {

"Service": "vpce.amazonaws.com"

},

"Action": "SNS:Publish",

"Resource": "arn:aws:sns:region:account:topic-name"

} ] }

Command line

To create and manage a notiﬁcation using the AWS CLI

1. To create a notification for an interface endpoint, use the create-vpc-endpoint-connection- notification command. Specify the ARN of the SNS topic, the events for which to be notified, and the ID of the endpoint, as shown in the following example.

aws ec2 create-vpc-endpoint-connection-notification --connection-notification- arn arn:aws:sns:us-east-2:123456789012:EndpointNotification --connection-events Accept Reject --vpc-endpoint-id vpce-123abc3420c1931d7

2. To view your notiﬁcations, use the describe-vpc-endpoint-connection-notiﬁcations command.

aws ec2 describe-vpc-endpoint-connection-notifications

3. To change the SNS topic or endpoint events for the notiﬁcation, use the modify-vpc-endpoint- connection-notiﬁcation command.

aws ec2 modify-vpc-endpoint-connection-notification --connection-notification- id vpce-nfn-008776de7e03f5abc --connection-events Accept --connection-notification- arn arn:aws:sns:us-east-2:123456789012:mytopic

4. To delete a notiﬁcation, use the delete-vpc-endpoint-connection-notiﬁcations command.

aws ec2 delete-vpc-endpoint-connection-notifications --connection-notification- ids vpce-nfn-008776de7e03f5abc

(18)

Access a service through an interface endpoint

After you've created an interface endpoint, you can submit requests to the supported service via an endpoint URL. You can use the following:

• If you have turned on private DNS for the endpoint (a private hosted zone; applicable to AWS services and AWS Marketplace Partner services only), the default DNS hostname for the AWS service for the Region. For example, ec2.us-east-1.amazonaws.com.

Important

• The endpoint-speciﬁc Regional DNS hostname that we generate for the interface endpoint.

The hostname includes a unique endpoint identiﬁer, service identiﬁer, the Region, and

vpce.amazonaws.com in its name. For example, vpce-0fe5b17a0707d6abc-29p5708s.ec2.us- east-1.vpce.amazonaws.com.

• The endpoint-speciﬁc zonal DNS hostname that we generate for each Availability Zone in which the endpoint is available. The hostname includes the Availability Zone in its name. For example, vpce-0fe5b17a0707d6abc-29p5708s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com.

You might use this option if your architecture isolates Availability Zones (for example, for fault containment or to reduce Regional data transfer costs).

A request to the zonal DNS hostname is destined to the corresponding Availability Zone location in the service provider's account, which might not have the same Availability Zone name as your account. For more information, see Region and Availability Zone Concepts.

• The private IP address of the endpoint network interface in the VPC.

To get the Regional and zonal DNS names, see View your interface endpoint (p. 12).

For example, in a subnet in which you have an interface endpoint to Elastic Load Balancing and for which you have not turned on the private DNS option, use the following AWS CLI command from an instance to describe your load balancers. The command uses the endpoint-speciﬁc Regional DNS hostname to make the request using the interface endpoint.

aws elbv2 describe-load-balancers --endpoint-url https://vpce-0f89a33420c193abc- bluzidnv.elasticloadbalancing.us-east-1.vpce.amazonaws.com/

If you turn on the private DNS option, you do not have to specify the endpoint URL in the request. The AWS CLI uses the default endpoint for the AWS service for the Region (elasticloadbalancing.us- east-1.amazonaws.com).

Modify an interface endpoint

You can modify the following attributes of an interface endpoint:

• The subnet in which the interface endpoint is located

• The security groups that are associated with the endpoint network interface

• The tags

• The private DNS option

Note

When you turn on private DNS, it might take a few minutes for the private IP addresses to become available.

• The endpoint policy (if supported by the service)

(19)

Modify an interface endpoint

If you remove a subnet for the interface endpoint, the corresponding endpoint network interface in the subnet is deleted.

Console

To change the subnets for an interface endpoint

2. In the navigation pane, choose Endpoints and select the interface endpoint.

3. Choose Actions, Manage Subnets.

4. Select or deselect the subnets as required, and choose Modify Subnets.

To add or remove the security groups associated with an interface endpoint

3. Choose Actions, Manage security groups.

4. Select or deselect the security groups as required, and choose Save.

To add or remove an interface endpoint tag

2. In the navigation pane, choose Endpoints.

3. Select the interface endpoint and choose Actions, Add/Edit Tags.

4. Add or remove a tag.

[Add a tag] Choose Create tag and do the following:

To modify the private DNS option

3. Choose Actions, Modify Private DNS names.

4. Set the option as required, and choose Modify Private DNS names.

To update the endpoint policy

3. Choose Actions, Edit policy.

4. Choose Full Access to allow full access to the service, or choose Custom and specify a custom policy. Choose Save.

(20)

Gateway Load Balancer endpoints

Command line

To modify a VPC endpoint using the AWS CLI

1. Use the describe-vpc-endpoints command to get the ID of your interface endpoint.

aws ec2 describe-vpc-endpoints

2. The following example uses the modify-vpc-endpoint command to add subnet subnet- aabb1122 to the interface endpoint.

aws ec2 modify-vpc-endpoint --vpc-endpoint-id vpce-0fe5b17a0707d6abc --add-subnet- id subnet-aabb1122

To modify a VPC endpoint using the AWS Tools for Windows PowerShell or an API

• Edit-EC2VpcEndpoint (AWS Tools for Windows PowerShell)

• ModifyVpcEndpoint (Amazon EC2 Query API)

To add or remove a VPC endpoint tag using the AWS Tools for Windows PowerShell or an API

• tag-resource (AWS CLI)

• TagResource (AWS Tools for Windows PowerShell)

• untag-resource (AWS CLI)

• TagResource (AWS Tools for Windows PowerShell)

Gateway Load Balancer endpoints (AWS PrivateLink)

A Gateway Load Balancer endpoint enables you to intercept traﬃc and route it to a service that you've conﬁgured using Gateway Load Balancers, for example, for security inspection. The owner of the service is the service provider, and you, as the principal creating the Gateway Load Balancer endpoint, are the service consumer.

The following are the general steps for setting up a Gateway Load Balancer endpoint:

1. Ensure that a Gateway Load Balancer endpoint service is conﬁgured. For more information, see VPC endpoint services for Gateway Load Balancer endpoints (p. 43).

2. Choose the VPC in which to create the Gateway Load Balancer endpoint, and provide the name of the service.

3. Choose a subnet in your VPC to use the Gateway Load Balancer endpoint. We create an endpoint network interface in the subnet. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the Gateway Load Balancer endpoint is deleted.

Note

An endpoint network interface is a requester-managed network interface. You can view it in your account, but you cannot manage it yourself. For more information, see Requester- managed network interfaces.

(21)

Gateway Load Balancer endpoint properties and limitations

4. After you create the Gateway Load Balancer endpoint, it's available to use when it's accepted by the service provider. The service provider can conﬁgure the service to accept requests automatically or manually.

5. Conﬁgure your subnet route table and gateway route table to point traﬃc to the Gateway Load Balancer endpoint. For more information, see Routing to a Gateway Load Balancer endpoint in the Amazon VPC User Guide.

Contents

• Gateway Load Balancer endpoint properties and limitations (p. 17)

• Gateway Load Balancer endpoint lifecycle (p. 18)

• Pricing for Gateway Load Balancer endpoints (p. 18)

• Create a Gateway Load Balancer endpoint (p. 18)

• View your Gateway Load Balancer endpoint (p. 19)

• Add or remove tags for a Gateway Load Balancer endpoint (p. 19)

Gateway Load Balancer endpoint properties and limitations

To use a Gateway Load Balancer endpoint, be aware of the following:

• For each Gateway Load Balancer endpoint, you can choose only one Availability Zone (subnet) in your VPC. You cannot change the subnet later. To use a Gateway Load Balancer endpoint in a diﬀerent subnet, create a new Gateway Load Balancer endpoint in that subnet. You can create a single Gateway Load Balancer endpoint per Availability Zone for a service, but only for the Availability Zones that the Gateway Load Balancer supports.

• Each Gateway Load Balancer endpoint supports a maximum bandwidth of up to 40 Gbps.

• If the network ACL for your subnet restricts traffic, you might not be able to send traffic through the Gateway Load Balancer endpoint. Ensure that you add appropriate rules that allow traffic to and from the CIDR block of the subnet.

• Security groups are not supported.

• Endpoint policies are not supported.

• A service might not be available in all Availability Zones through a Gateway Load Balancer endpoint.

To ﬁnd out which Availability Zones are supported, use the describe-vpc-endpoint-services command or use the Amazon VPC console. For more information, see Create a Gateway Load Balancer

endpoint (p. 18).

• When you create a Gateway Load Balancer endpoint, the endpoint is created in the Availability Zone that is mapped to your account and that is independent from other accounts. When the service provider and the consumer are in diﬀerent accounts, use the Availability Zone ID to uniquely and consistently identify the endpoint Availability Zone. For example, use1-az1 is an Availability Zone ID for the us-east-1 Region and maps to the same location in every AWS account. For information about Availability Zone IDs, see AZ IDs for Your Resources in the AWS RAM User Guide or use describe- availability-zones.

• To keep traﬃc within the same Availability Zone, we recommend that you create a Gateway Load Balancer endpoint in each Availability Zone that you will send traﬃc to.

• Network Load Balancer client IP preservation is not supported when traﬃc is routed through a Gateway Load Balancer endpoint, even if the target is in the same VPC as the Network Load Balancer.

(22)

Gateway Load Balancer endpoint lifecycle

A Gateway Load Balancer endpoint goes through various stages, starting from when you create it (the endpoint connection request). At each stage, there might be actions that the service consumer and service provider can take.

• A service provider can conﬁgure their service to accept Gateway Load Balancer endpoint requests automatically or manually.

• A service provider cannot delete a Gateway Load Balancer endpoint to their service. Only the service consumer that requested the connection can delete the Gateway Load Balancer endpoint.

• A service provider can reject the Gateway Load Balancer endpoint after it has been accepted and is in the available state.

Pricing for Gateway Load Balancer endpoints

You are charged for creating and using a Gateway Load Balancer endpoint to a service. Hourly usage rates and data processing rates apply. For more information, see AWS PrivateLink Pricing. You can view the total number of Gateway Load Balancer endpoints using the Amazon VPC console or the AWS CLI.

Create a Gateway Load Balancer endpoint

To create a Gateway Load Balancer endpoint, you must specify the VPC in which to create the endpoint, and the service to which to establish the connection.

Console

To create a Gateway Load Balancer endpoint

3. For Service category, choose Find service by name.

4. For Service Name, enter the name of the service and choose Verify.

• For Subnets, select the subnet (Availability Zone) in which to create the Gateway Load Balancer endpoint.

• (Optional) To add a tag, choose Add tag and then specify a key and value for the tag.

Command line

To create a Gateway Load Balancer endpoint using the AWS CLI

Use the create-vpc-endpoint command and specify the VPC ID, type of VPC endpoint (Gateway Load Balancer), service name, and the subnet in which to create the Gateway Load Balancer endpoint.

(23)

View your Gateway Load Balancer endpoint

aws ec2 create-vpc-endpoint --vpc-endpoint-type GatewayLoadBalancer --vpc-id vpc-id -- subnet-ids subnet-id --service-name gateway-load-balancer-service-name

To create a VPC endpoint using the AWS Tools for Windows PowerShell or API

• New-EC2VpcEndpoint

• CreateVpcEndpoint

View your Gateway Load Balancer endpoint

After you've created a Gateway Load Balancer endpoint, you can view information about it.

Console

To view information about a Gateway Load Balancer endpoint using the console

2. In the navigation pane, choose Endpoints and select your Gateway Load Balancer endpoint.

3. Choose Details.

4. To view the subnet in which the Gateway Load Balancer endpoint has been created, and the ID of the endpoint network interface, choose Subnets.

Command line

To describe your Gateway Load Balancer endpoint using a command line tool or API

• describe-vpc-endpoints (AWS CLI)

• Get-EC2VpcEndpoint (Tools for Windows PowerShell)

• DescribeVpcEndpoints (Amazon EC2 Query API)

Add or remove tags for a Gateway Load Balancer endpoint

You can add or remove the tags for your Gateway Load Balancer endpoint.

Console

To add or remove a tag

2. In the navigation pane, choose Endpoints.

3. Select the Gateway Load Balancer endpoint and choose Actions, Add/Edit Tags.

4. Add or remove a tag.

[Add a tag] Choose Create tag and do the following:

(24)

Gateway endpoints

Command line

To add or remove tags using a command line tool or an API

• Use create-tags and delete-tags. (AWS CLI)

• Use New-EC2Tag and Remove-EC2Tag (AWS Tools for Windows PowerShell)

• Use CreateTags and DeleteTags. (Amazon EC2 Query API)

Gateway VPC endpoints

Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not enable AWS PrivateLink.

To create and set up a gateway endpoint, follow these general steps:

1. Specify the VPC in which to create the endpoint, and the service to which you're connecting. A service is identiﬁed by an AWS managed preﬁx list—the name and ID of a service for a Region.

An AWS preﬁx list ID uses the form pl-xxxxxxx and an AWS preﬁx list name uses the form

"com.amazonaws.region.service". Use the AWS preﬁx list name (service name) to create an endpoint.

2. Attach an endpoint policy to your endpoint that allows access to some or all of the service to which you're connecting. For more information, see Use VPC endpoint policies (p. 36).

3. Specify one or more route tables in which to create routes to the service. Route tables control the routing of traﬃc between your VPC and the other service. Each subnet that's associated with one of these route tables has access to the endpoint, and traﬃc from instances in these subnets to the service is then routed through the endpoint.

In the following diagram, instances in subnet 2 can access Amazon S3 through the gateway endpoint.

You can create multiple endpoints in a single VPC, for example, to multiple services. You can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.

After you've created an endpoint, you can modify the endpoint policy that's attached to your endpoint, and add or remove the route tables that are used by the endpoint.

(25)

Pricing for gateway endpoints

Contents

• Pricing for gateway endpoints (p. 21)

• Routing for gateway endpoints (p. 21)

• Gateway endpoint limitations (p. 23)

• Endpoints for Amazon S3 (p. 23)

• Endpoints for Amazon DynamoDB (p. 30)

• Create a gateway endpoint (p. 32)

• Modify your security group (p. 34)

• Modify a gateway endpoint (p. 35)

• Add or remove gateway endpoint tags (p. 35)

Pricing for gateway endpoints

There is no additional charge for using gateway endpoints. Standard charges for data transfer and resource usage apply. For more information about pricing, see Amazon EC2 Pricing.

Routing for gateway endpoints

When you create or modify an endpoint, you specify the VPC route tables that are used to access the service via the endpoint. A route is automatically added to each of the route tables with a destination that speciﬁes the AWS preﬁx list ID of the service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-xxxxxxxx); for example:

10.0.0.0/16 Local

pl-1a2b3c4d vpce-11bb22cc

The preﬁx list ID logically represents the range of public IP addresses used by the service. All instances in subnets associated with the speciﬁed route tables automatically use the endpoint to access the service.

Subnets that are not associated with the speciﬁed route tables do not use the endpoint. This allows you to keep resources in other subnets separate from your endpoint.

To view the current public IP address range for a service, you can use the describe-preﬁx-lists command.

Note

The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.

• You can have multiple endpoint routes to diﬀerent services in a route table, and you can have multiple endpoint routes to the same service in diﬀerent route tables. But you cannot have multiple endpoint routes to the same service in a single route table. For example, if you create two endpoints to Amazon S3 in your VPC, you cannot create endpoint routes for both endpoints in the same route table.

• You cannot explicitly add, modify, or delete an endpoint route in your route table by using the route table APIs, or by using the Route Tables page in the Amazon VPC console. You can only add an endpoint route by associating a route table with an endpoint. To change the route tables that are associated with your endpoint, you can modify the endpoint (p. 35).

• An endpoint route is automatically deleted when you remove the route table association from the endpoint (by modifying the endpoint), or when you delete your endpoint.

(26)

Routing for gateway endpoints

We use the most specific route that matches the traffic to determine how to route the traffic (longest prefix match). If you have an existing route in your route table for all internet traffic (0.0.0.0/0) that points to an internet gateway, the endpoint route takes precedence for all traffic destined for the service, because the IP address range for the service is more specific than 0.0.0.0/0. All other internet traffic goes to your internet gateway, including traffic that's destined for the service in other Regions.

However, if you have existing, more speciﬁc routes to IP address ranges that point to an internet gateway or a NAT device, those routes take precedence. If you have existing routes destined for an IP address range that is identical to the IP address range used by the service, then your routes take precedence.

Example: An endpoint route in a route table

In this scenario, you have an existing route in your route table for all internet traﬃc (0.0.0.0/0) that points to an internet gateway. Any traﬃc from the subnet that's destined for another AWS service uses the internet gateway.

10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

You create an endpoint to a supported AWS service, and associate your route table with the endpoint. An endpoint route is automatically added to the route table, with a destination of pl-1a2b3c4d (assume this represents the service to which you've created the endpoint). Now, any traffic from the subnet that's destined for that AWS service in the same Region goes to the endpoint, and does not go to the internet gateway. All other internet traffic goes to your internet gateway, including traffic that's destined for other services, and destined for the AWS service in other Regions.

10.0.0.0/16 Local

0.0.0.0/0 igw-1a2b3c4d

Example: Adjusting your route tables for endpoints

In this scenario, 54.123.165.0/24 is in the Amazon S3 IP address range and you configured your route table to allow instances in your subnet to communicate with Amazon S3 buckets through an internet gateway. You've added a route with 54.123.165.0/24 as a destination, and the internet gateway as the target. You then create an endpoint, and associate this route table with the endpoint. An endpoint route is automatically added to the route table. You then use the describe-prefix-lists command to view the IP address range for Amazon S3. The range is 54.123.160.0/19, which is less specific than the range that's pointing to your internet gateway. This means that any traffic destined for the 54.123.165.0/24 IP address range continues to use the internet gateway, and does not use the endpoint (for as long as this remains the public IP address range for Amazon S3).

10.0.0.0/16 Local

54.123.165.0/24 igw-1a2b3c4d

(27)

Gateway endpoint limitations

To ensure that all traﬃc destined for Amazon S3 in the same Region is routed via the endpoint, you must adjust the routes in your route table. To do this, you can delete the route to the internet gateway. Now, all traﬃc to Amazon S3 in the same Region uses the endpoint, and the subnet that's associated with your route table is a private subnet.

10.0.0.0/16 Local

Gateway endpoint limitations

To use gateway endpoints, you need to be aware of the current limitations:

• You cannot use an AWS prefix list ID in an outbound rule in a network ACL to allow or deny outbound traffic to the service specified in an endpoint. If your network ACL rules restrict traffic, you must specify the CIDR block (IP address range) for the service instead. You can, however, use an AWS prefix list ID in an outbound security group rule. For more information, see Security groups (p. 37).

• Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, AWS Direct Connect connection, or ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

• You must turn on DNS resolution in your VPC, or if you're using your own DNS server, ensure that DNS requests to the required service (such as Amazon S3) are resolved correctly to the IP addresses maintained by AWS. For more information, see Using DNS with your VPC in the Amazon VPC User Guide and AWS IP Address Ranges in the Amazon Web Services General Reference.

• Review the service-speciﬁc limits for your endpoint service.

For more information about rules and limitations that are speciﬁc to Amazon S3, see Endpoints for Amazon S3 (p. 23).

For more information about rules and limitations that are speciﬁc to DynamoDB, see Endpoints for Amazon DynamoDB (p. 30).

Endpoints for Amazon S3

If you've already set up access to your Amazon S3 resources from your VPC, you can continue to use Amazon S3 DNS names to access those resources after you've set up an endpoint. However, take note of the following:

• Your endpoint has a policy that controls the use of the endpoint to access Amazon S3 resources. The default policy allows access by any user or service within the VPC, using credentials from any AWS account, to any Amazon S3 resource; including Amazon S3 resources for an AWS account other than the account with which the VPC is associated. For more information, see Control access to services with VPC endpoints (p. 36).

(28)

Endpoints for Amazon S3

• The source IPv4 addresses from instances in your aﬀected subnets as received by Amazon S3 change from public IPv4 addresses to the private IPv4 addresses in your VPC. An endpoint switches network routes, and disconnects open TCP connections. The previous connections that used public IPv4 addresses are not resumed. We recommend that you do not have any critical tasks running when you create or modify an endpoint; or that you test to ensure that your software can automatically reconnect to Amazon S3 after the connection break.

• You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the aws:SourceIp condition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies. If a statement includes the aws:SourceIp condition, the value fails to match any provided IP address or range. Instead, you can do the following:

• Use your route tables to control which instances can access resources in Amazon S3 via the endpoint.

• For bucket policies, you can restrict access to a speciﬁc endpoint or to a speciﬁc VPC. For more information, see Amazon S3 bucket policies (p. 28).

• Endpoints currently do not support cross-Region requests—ensure that you create your endpoint in the same Region as your bucket. You can find the location of your bucket by using the Amazon S3 console, or by using the get-bucket-location command. Use a Region-specific Amazon S3 endpoint to access your bucket; for example, mybucket.s3.us-west-2.amazonaws.com. For more information about Region-specific endpoints for Amazon S3, see Amazon Simple Storage Service (S3) in Amazon Web Services General Reference. If you use the AWS CLI to make requests to Amazon S3, set your default Region to the same Region as your bucket, or use the --region parameter in your requests.

Note

Treat the US Standard Region for Amazon S3 as mapped to the us-east-1 Region.

• Endpoints are currently supported for IPv4 traﬃc only.

Before you use endpoints with Amazon S3, ensure that you have also read the following general limitations: Gateway endpoint limitations (p. 23). For information about creating and viewing S3 buckets, see How Do I Create an S3 Bucket and How Do I View the Properties for an S3 Bucket in the Amazon Simple Storage Service User Guide.

If you use other AWS services in your VPC, they might use S3 buckets for certain tasks. Ensure that your endpoint policy allows full access to Amazon S3 (the default policy), or that it allows access to the speciﬁc buckets that are used by these services. Alternatively, only create an endpoint in a subnet that is not used by any of these services, to allow the services to continue accessing S3 buckets using public IP addresses.

The following table lists AWS services that might be aﬀected by an endpoint, and any speciﬁc information for each service.

AWS service Note

Amazon AppStream 2.0 Your endpoint policy must allow access to the speciﬁc buckets that are used by AppStream 2.0 for storing user content. For more information, see Using Amazon S3 VPC Endpoints for Home Folders and Application Settings Persistence in the Amazon AppStream 2.0 Administration Guide.

AWS CloudFormation If you have resources in your VPC that must respond to a wait condition or custom resource request, your endpoint policy must allow at least access to the speciﬁc buckets that are used by these resources. For more information, see Setting Up VPC Endpoints for AWS CloudFormation.

(29)

AWS service Note

CodeDeploy Your endpoint policy must allow full access to

Amazon S3, or allow access to any S3 buckets that you've created for your CodeDeploy deployments.

Elastic Beanstalk Your endpoint policy must allow at least access to any S3 buckets used for Elastic Beanstalk applications. For more information, see Using Elastic Beanstalk with Amazon S3 in the AWS Elastic Beanstalk Developer Guide.

Amazon EMR Your endpoint policy must allow access to the

Amazon Linux repositories and other buckets that are used by Amazon EMR. For more information, see Minimum Amazon S3 Policy for Private Subnet in the Amazon EMR Management Guide.

AWS OpsWorks Your endpoint policy must allow at least access to

speciﬁc buckets that are used by AWS OpsWorks.

For more information, see Running a Stack in a VPC in the AWS OpsWorks User Guide.

AWS Systems Manager Your endpoint policy must allow access to the Amazon S3 buckets used by Patch Manager for patch baseline operations in your AWS Region.

These buckets contain the code that is retrieved and run on instances by the patch baseline service. For more information, see Create a Virtual Private Cloud Endpoint in the AWS Systems Manager User Guide.

For a list of S3 bucket permissions required by SSM Agent for its operations, see Minimum S3 Bucket Permissions for SSM Agent in the AWS Systems Manager User Guide.

Amazon Elastic Container Registry Your endpoint policy must allow access to the Amazon S3 buckets used by Amazon ECR to store Docker image layers. For more information, see Minimum Amazon S3 Bucket Permissions for Amazon ECR in the Amazon Elastic Container Registry User Guide.

Amazon WorkDocs If you use an Amazon WorkDocs client in

WorkSpaces or an EC2 instance, your endpoint policy must allow full access to Amazon S3.

WorkSpaces WorkSpaces does not directly depend on Amazon

S3. However, if you provide WorkSpaces users with internet access, then take note that websites, HTML emails, and internet services from other companies may depend on Amazon S3. Ensure that your endpoint policy allows full access to Amazon S3 to allow these services to continue to work correctly.

(30)

Traﬃc between your VPC and S3 buckets does not leave the Amazon network.

Endpoint policies for Amazon S3

The following are example endpoint policies for accessing Amazon S3. For more information, see Use VPC endpoint policies (p. 36). It is up to the user to determine the policy restrictions that meet their business needs.

Important

All types of policies — IAM user policies, endpoint policies, S3 bucket policies, and Amazon S3 ACL policies (if any) — must grant the necessary permissions for access to Amazon S3 to succeed.

AWS recommends that you use IAM conditions, rather than the IAM Principal element, in VPC endpoint policies when you are restricting use of the endpoint to particular callers. Examples of such conditions are aws:PrincipalArn, aws:PrincipalAccount, aws:PrincipalOrgId, and aws:PrincipalOrgPaths. For more information about condition context keys, see AWS global condition context keys in the AWS Identity and Access Management User Guide.

Example Example: Restricting access to a speciﬁc bucket

You can create a policy that restricts access to speciﬁc S3 buckets only. This is useful if you have other AWS services in your VPC that use S3 buckets. The following is an example of a policy that restricts access to the speciﬁed bucket only.

{ "Sid": "AccessToSpecificBucket", "Effect": "Allow",

"Principal": "*", "Action": [

"s3:ListBucket", "s3:GetObject", "s3:PutObject"

],

"Resource": [

"arn:aws:s3:::example-bucket", "arn:aws:s3:::example-bucket/*"

]}

Example Example: Restricting use of this VPC endpoint to a speciﬁc IAM role in an account

You can create a policy that restricts use of the VPC endpoint to a specific IAM role. The following is an example that restricts the access to the specified role in the specified account.

{

"Sid": "Restrict-acess-to-specific-IAM-role", "Effect": "Allow",

"Principal": "*", "Action": "*", "Resource": "*", "Condition": { "ArnEquals": {

"aws:PrincipalArn": "arn:aws:iam::111122223333:role/SomeRole"

} } }

Example Example: Restricting use of this VPC endpoint to a users in a speciﬁc account

You can create a policy that restricts use of the VPC endpoint to a speciﬁc account. The following is an example that restricts the access to users in the speciﬁed account.

(31)

{ "Sid": "AllowCallersFromAccount111122223333", "Effect": "Allow",

"Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": {

"aws:PrincipalAccount": "111122223333"

} }}

Example Example: Enabling access to the Amazon Linux AMI repositories

The Amazon Linux AMI repositories are Amazon S3 buckets in each Region. If you want instances in your VPC to access the repositories through an endpoint, create an endpoint policy that enables access to these buckets.

The following policy allows access to the Amazon Linux repositories.

You need to replace region with your AWS Region, for example, us-east-1.

{ "Statement": [ {

"Sid": "AmazonLinuxAMIRepositoryAccess", "Effect": "Allow",

"Principal": "*", "Action": [ "s3:GetObject"

],

"Resource": [

"arn:aws:s3:::packages.region.amazonaws.com/*", "arn:aws:s3:::repo.region.amazonaws.com/*"

] } ] }

The following policy allows access to the Amazon Linux 2 repositories.

You need to replace region with your AWS Region, for example, us-east-1.

{

"Statement": [ {

"Sid": "AmazonLinux2AMIRepositoryAccess", "Effect": "Allow",

"Principal": "*", "Action": [ "s3:GetObject"

],

"Resource": [

"arn:aws:s3:::amazonlinux.region.amazonaws.com/*"

"arn:aws:s3:::amazonlinux-2-repos-region/*"

] } ]}

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud

AWS PrivateLink

Amazon Virtual Private Cloud: AWS PrivateLink

Table of Contents

AWS PrivateLink and VPC endpoints

VPC endpoints concepts

Work with VPC endpoints

Example endpoint conﬁgurations

Pricing for endpoints

VPC endpoints

Interface VPC endpoints (AWS PrivateLink)

Note

Important

Private DNS for interface endpoints

Important

Important

Interface endpoint properties and limitations

Connection to on-premises data centers

Interface endpoint lifecycle

Interface endpoint Availability Zone considerations

View available AWS service names

To view available AWS services using the console

To view available AWS services using the AWS CLI

To view available AWS services using the AWS Tools for Windows PowerShell

To view available AWS services using the API

Create an interface endpoint

Important

To create an interface endpoint to an AWS service using the console

Important

To create an interface endpoint to an endpoint service

To create an interface endpoint to an AWS Marketplace partner service

To create an interface endpoint using the AWS CLI

To describe available services and create a VPC endpoint using the AWS Tools for Windows PowerShell

To describe available services and create a VPC endpoint using the API

View your interface endpoint

To view information about an interface endpoint using the console

To describe your interface endpoint using the AWS CLI

To describe your VPC endpoints using the AWS Tools for PowerShell or API

Create and manage a notiﬁcation for an interface endpoint

To create and manage a notiﬁcation using the AWS CLI

Access a service through an interface endpoint

Important

Modify an interface endpoint

Note

To change the subnets for an interface endpoint

To add or remove the security groups associated with an interface endpoint

To add or remove an interface endpoint tag

To modify the private DNS option

To update the endpoint policy

To modify a VPC endpoint using the AWS CLI

To modify a VPC endpoint using the AWS Tools for Windows PowerShell or an API

To add or remove a VPC endpoint tag using the AWS Tools for Windows PowerShell or an API

Gateway Load Balancer endpoints (AWS PrivateLink)

Note

Gateway Load Balancer endpoint properties and limitations

Gateway Load Balancer endpoint lifecycle

Pricing for Gateway Load Balancer endpoints

Create a Gateway Load Balancer endpoint

To create a Gateway Load Balancer endpoint

To create a VPC endpoint using the AWS Tools for Windows PowerShell or API

View your Gateway Load Balancer endpoint

To view information about a Gateway Load Balancer endpoint using the console

To describe your Gateway Load Balancer endpoint using a command line tool or API

Add or remove tags for a Gateway Load Balancer endpoint

To add or remove a tag

To add or remove tags using a command line tool or an API

Gateway VPC endpoints

Pricing for gateway endpoints

Routing for gateway endpoints

Note

Gateway endpoint limitations

Endpoints for Amazon S3

Note

Endpoint policies for Amazon S3

Important

Example Example: Restricting access to a speciﬁc bucket

Example Example: Restricting use of this VPC endpoint to a speciﬁc IAM role in an account

Example Example: Restricting use of this VPC endpoint to a users in a speciﬁc account

Example Example: Enabling access to the Amazon Linux AMI repositories