Access an Amazon Web Service using an interface VPC endpoint - Amazon Virtual Private Cloud
PrerequisitesCreate a VPC endpointShared subnets
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access an Amazon Web Service using an interface VPC endpoint

You can create an interface VPC endpoint to connect to services powered by Amazon PrivateLink, including many Amazon Web Services. For an overview, see Amazon PrivateLink concepts and Access Amazon Web Services through Amazon PrivateLink.

For each subnet that you specify from your VPC, we create an endpoint network interface in the subnet and assign it a private IP address from the subnet address range. An endpoint network interface is a requester-managed network interface; you can view it in your Amazon Web Services account, but you can't manage it yourself.

Prerequisites

  • Deploy the resources that will access the Amazon Web Service in your VPC.

  • To use private DNS, you must enable DNS hostnames and DNS resolution for your VPC. For more information, see View and update DNS attributes in the Amazon VPC User Guide.

  • To enable IPv6 for an interface endpoint, the Amazon Web Service must support access over IPv6. For more information, see IP address types.

  • Create a security group that allows the resources in your VPC to communicate with the endpoint network interfaces for the VPC endpoint. To ensure that tools such as the Amazon CLI can make requests over HTTPS from resources in the VPC to the Amazon Web Service, the security group must allow inbound HTTPS traffic.

  • If your resources are in a subnet with a network ACL, verify that the network ACL allows traffic between the endpoint network interfaces and the resources in the VPC.

  • There are quotas on your Amazon PrivateLink resources. For more information, see Amazon PrivateLink quotas.

Create a VPC endpoint

Use the following procedure to create an interface VPC endpoint that connects to an Amazon Web Service.

To create an interface endpoint for an Amazon Web Service

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Choose Create endpoint.

  4. For Service category, choose Amazon Web Services.

  5. For Service name, select the service. For more information, see Amazon Web Services that integrate with Amazon PrivateLink.

  6. For VPC, select the VPC from which you'll access the Amazon Web Service.

  7. If, in Step 5, you selected the service name for Amazon S3, and if you want to configure private DNS support, select Additional settings, Enable DNS name. When you make this selection, it also automatically selects Enable private DNS only for inbound endpoint. You can configure private DNS with an inbound Resolver endpoint only for interface endpoints for Amazon S3. If you do not have a gateway endpoint for Amazon S3 and you select Enable private DNS only for inbound endpoint, you'll receive an error when you attempt the final step in this procedure.

    If, in Step 5, you selected the service name for any service other than Amazon S3, Additional settings, Enable DNS name is already selected. We recommend that you keep the default.

  8. For Subnets, select one subnet per Availability Zone from which you'll access the Amazon Web Service. You can't select multiple subnets from the same Availability Zone. We create an endpoint network interface in each subnet that you select. By default, we select IP addresses from the subnet IP address ranges and assign them to the endpoint network interfaces. To choose the IP addresses for an endpoint network interface, select Designate IP addresses and enter an IPv4 address from the subnet address range. If the endpoint service supports IPv6, you can also enter an IPv6 address from the subnet address range.

  9. For IP address type, choose from the following options:

    • IPv4 – Assign IPv4 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges and the service accepts IPv4 requests.

    • IPv6 – Assign IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets and the service accepts IPv6 requests.

    • Dualstack – Assign both IPv4 and IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the service accepts both IPv4 and IPv6 requests.

  10. For Security groups, select the security groups to associate with the endpoint network interfaces for the VPC endpoint. By default, we associate the default security group for the VPC.

  11. For Policy, select Full access to allow all operations by all principals on all resources over the VPC endpoint. Otherwise, select Custom to attach a VPC endpoint policy that controls the permissions that principals have for performing actions on resources over the VPC endpoint. This option is available only if the service supports VPC endpoint policies. For more information, see Endpoint policies.

  12. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

  13. Choose Create endpoint.

To create an interface endpoint using the command line

Shared subnets

You can't create, describe, modify, or delete VPC endpoints in subnets that are shared with you. However, you can use the VPC endpoints in subnets that are shared with you.