AWS::EC2::VPCEndpoint - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::EC2::VPCEndpoint

Specifies a VPC endpoint. A VPC endpoint provides a private connection between your VPC and an endpoint service. You can use an endpoint service provided by Amazon, an Amazon Web Services Marketplace Partner, or another Amazon accounts in your organization. For more information, see the Amazon PrivateLink User Guide.

An endpoint of type Interface establishes connections between the subnets in your VPC and an Amazon Web Service, your own service, or a service hosted by another Amazon Web Services account. With an interface VPC endpoint, you specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interfaces.

An endpoint of type gateway serves as a target for a route in your route table for traffic destined for Amazon S3 or DynamoDB. You can specify an endpoint policy for the endpoint, which controls access to the service from your VPC. You can also specify the VPC route tables that use the endpoint. For more information about connectivity to Amazon S3, see Why can't I connect to an S3 bucket using a gateway VPC endpoint?

An endpoint of type GatewayLoadBalancer provides private connectivity between your VPC and virtual appliances from a service provider.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" : Json, "PrivateDnsEnabled" : Boolean, "RouteTableIds" : [ String, ... ], "SecurityGroupIds" : [ String, ... ], "ServiceName" : String, "SubnetIds" : [ String, ... ], "VpcEndpointType" : String, "VpcId" : String } }

YAML

Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: Json PrivateDnsEnabled: Boolean RouteTableIds: - String SecurityGroupIds: - String ServiceName: String SubnetIds: - String VpcEndpointType: String VpcId: String

Properties

PolicyDocument

An endpoint policy, which controls access to the service from the VPC. The default endpoint policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints.

For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. Amazon CloudFormation converts YAML policies to JSON format before calling the API to create or modify the VPC endpoint.

Required: No

Type: Json

Update requires: No interruption

PrivateDnsEnabled

Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.

To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport.

This property is supported only for interface endpoints.

Default: false

Required: No

Type: Boolean

Update requires: No interruption

RouteTableIds

The IDs of the route tables. Routing is supported only for gateway endpoints.

Required: No

Type: Array of String

Update requires: No interruption

SecurityGroupIds

The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints.

Required: No

Type: Array of String

Update requires: No interruption

ServiceName

The name of the endpoint service.

Required: Yes

Type: String

Update requires: Replacement

SubnetIds

The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.

Required: Conditional

Type: Array of String

Update requires: No interruption

VpcEndpointType

The type of endpoint.

Default: Gateway

Required: No

Type: String

Allowed values: Interface | Gateway | GatewayLoadBalancer

Update requires: Replacement

VpcId

The ID of the VPC.

Required: Yes

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC endpoint.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

CreationTimestamp

The date and time the VPC endpoint was created. For example: Fri Sep 28 23:34:36 UTC 2018.

DnsEntries

(Interface endpoints) The DNS entries for the endpoint. Each entry is a combination of the hosted zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public DNS, private DNS, and wildcard DNS. This order is not enforced for Amazon Web Services Marketplace services.

The following is an example. In the first entry, the hosted zone ID is Z1HUB23UULQXV and the DNS name is vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com.

["Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com", "Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3-us-east-1a.ec2.us-east-1.vpce.amazonaws.com", "Z1C12344VYDITB0:ec2.us-east-1.amazonaws.com"]

If you update the PrivateDnsEnabled or SubnetIds properties, the DNS entries in the list will change.

Id

The ID of the VPC endpoint.

NetworkInterfaceIds

(Interface endpoints) The network interface IDs. If you update the PrivateDnsEnabled or SubnetIds properties, the items in this list might change.

Examples

Create an interface endpoint

The following example creates an interface endpoint for Amazon CloudWatch Logs in the current Region. Traffic to CloudWatch Logs from any subnet in the Availability Zones that contain subnetA and subnetB automatically traverses the interface endpoint.

You can customize the properties of myVPC, subnetA, subnetB, and mySecurityGroup as needed. Alternatively, specify the IDs of existing resources in VpcId, SubnetIds, and SecurityGroupIds.

YAML

Resources: CWLInterfaceEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: 'Interface' ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' VpcId: !Ref myVPC SubnetIds: - !Ref subnetA - !Ref subnetB SecurityGroupIds: - !Ref mySecurityGroup myVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: 10.0.0.0/16 EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: 'Name' Value: 'myVPC' subnetA: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref myVPC CidrBlock: '10.0.1.0/24' AvailabilityZone: !Select [ 0, !GetAZs ] subnetB: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref myVPC CidrBlock: '10.0.2.0/24' AvailabilityZone: !Select [ 1, !GetAZs ] mySecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupDescription: 'Allow HTTPS traffic from the VPC' VpcId: !Ref myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: !GetAtt myVPC.CidrBlock

JSON

{ "Resources": { "CWLInterfaceEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Interface", "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.logs" }, "VpcId": { "Ref": "myVPC" }, "SubnetIds": [ { "Ref": "subnetA" }, { "Ref": "subnetB" } ], "SecurityGroupIds": [ { "Ref": "mySecurityGroup" } ] } }, "myVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags": [ { "Key": "Name", "Value": "myVPC" } ] } }, "subnetA": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "myVPC" }, "CidrBlock": "10.0.1.0/24", "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] } } }, "subnetB": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "myVPC" }, "CidrBlock": "10.0.2.0/24", "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] } } }, "mySecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow HTTPS traffic from the VPC", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "CidrIp": { "Fn::GetAtt": [ "myVPC", "CidrBlock" ] } } ] } } } }

Create a gateway endpoint

The following example creates a gateway endpoint that connects the VPC defined by myVPC with Amazon S3 in the current Region. The endpoint policy allows only the s3:GetObject action on the specified bucket. Traffic to Amazon S3 from the subnets that are associated with the route table specified in RouteTableIds is automatically routed through the gateway endpoint.

You can customize the properties of myVPC, mySubnet, myRouteTable, and mySubnetRouteTableAssociation as needed. Alternatively, specify the IDs of existing resources in VpcId and RouteTableIds.

YAML

Resources: S3GatewayEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: 'Gateway' VpcId: !Ref myVPC ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3' PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::mybucket/*' RouteTableIds: - !Ref myRouteTable myVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.0.0.0/16' EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: 'Name' Value: 'myVPC' mySubnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref myVPC CidrBlock: 10.0.0.0/24 AvailabilityZone: !Select [ 0, !GetAZs ] myRouteTable: Type: 'AWS::EC2::RouteTable' Properties: VpcId: !Ref myVPC mySubnetRouteTableAssociation: Type: 'AWS::EC2::SubnetRouteTableAssociation' Properties: SubnetId: !Ref mySubnet RouteTableId: !Ref myRouteTable

JSON

{ "Resources": { "S3GatewayEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "Gateway", "VpcId": { "Ref": "myVPC" }, "ServiceName": { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mybucket/*" ] } ] }, "RouteTableIds": [ { "Ref": "myRouteTable" } ] } }, "myVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags": [ { "Key": "Name", "Value": "myVPC" } ] } }, "mySubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "myVPC" }, "CidrBlock": "10.0.0.0/24", "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": null } ] } } }, "myRouteTable": { "Type": "AWS::EC2::RouteTable", "Properties": { "VpcId": { "Ref": "myVPC" } } }, "mySubnetRouteTableAssociation": { "Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": { "SubnetId": { "Ref": "mySubnet" }, "RouteTableId": { "Ref": "myRouteTable" } } } } }

Create a Gateway Load Balancer endpoint

The following example creates a Gateway Load Balancer endpoint that connects myVPC with the specified endpoint service in the current Region.

You can customize the properties of myVPC and mySubnet as needed. Alternatively, specify the IDs of existing resources in VpcId and SubnetIds.

YAML

Resources: GWLBEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: 'GatewayLoadBalancer' ServiceName: 'com.amazonaws.vpce.${AWS::Region}.vpce-svc-123123a1c43abc123' VpcId: !Ref myVPC SubnetIds: - !Ref mySubnet myVPC: Type: 'AWS::EC2::VPC' Properties: CidrBlock: '10.0.0.0/16' EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: 'Name' Value: 'myVPC' mySubnet: Type: 'AWS::EC2::Subnet' Properties: VpcId: !Ref myVPC CidrBlock: '10.0.0.0/24' AvailabilityZone: !Select [ 1, !GetAZs ]

JSON

{ "Resources": { "GWLBEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "VpcEndpointType": "GatewayLoadBalancer", "ServiceName": "com.amazonaws.vpce.${AWS::Region}.vpce-svc-123123a1c43abc123", "VpcId": { "Ref": "myVPC" }, "SubnetIds": [ { "Ref": "mySubnet" } ] } }, "myVPC": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock": "10.0.0.0/16", "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags": [ { "Key": "Name", "Value": "myVPC" } ] } }, "mySubnet": { "Type": "AWS::EC2::Subnet", "Properties": { "VpcId": { "Ref": "myVPC" }, "CidrBlock": "10.0.0.0/24", "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] } } } } }