Interface VPC endpoints - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Interface VPC endpoints

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a private connection between your VPC and Amazon Identity and Access Management (IAM) or Amazon Security Token Service (Amazon STS). You can use this connection to enable IAM or Amazon STS to communicate with your resources in your VPC without going through the public internet.

Amazon VPC is an Amazon service that you can use to launch Amazon resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. To connect your VPC to IAM or Amazon STS, you define an interface VPC endpoint for each service. The endpoint provides reliable, scalable connectivity to IAM or Amazon STS without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see What Is Amazon VPC? in the Amazon VPC User Guide.

Interface VPC endpoints are powered by Amazon PrivateLink an Amazon technology that enables private communication between Amazon services using an elastic network interface with private IP addresses. For more information, see Amazon PrivateLink for Amazon Services.

The following information is for users of Amazon VPC. For more information, see Getting Started with Amazon VPC in the Amazon VPC User Guide.

Availability

IAM currently supports VPC endpoints in the following Region:

  • China (Beijing)

Amazon STS currently supports VPC endpoints in the following Regions:

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (N. California)

  • US West (Oregon)

  • Africa (Cape Town)

  • Asia Pacific (Hong Kong)

  • Asia Pacific (Hyderabad)

  • Asia Pacific (Jakarta)

  • Asia Pacific (Melbourne)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Osaka)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • Canada West (Calgary)

  • China (Beijing)

  • China (Ningxia)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Milan)

  • Europe (Paris)

  • Europe (Spain)

  • Europe (Stockholm)

  • Europe (Zurich)

  • Israel (Tel Aviv)

  • Middle East (Bahrain)

  • Middle East (UAE)

  • South America (São Paulo)

  • Amazon GovCloud (US-East)

  • Amazon GovCloud (US-West)

Create a VPC endpoint for IAM

To start using IAM with your VPC, create an interface VPC endpoint for IAM. For more information, see Access an Amazon service using an interface VPC endpoint in the Amazon VPC User Guide.

Because IAM is a global service, interface VPC endpoints for IAM can only be created in the Region where the IAM control plane is located. For a list of Amazon Web Services Regions that support VPC endpoints for IAM, see Availability. For more information about the IAM control plane, see Resilience in Amazon Identity and Access Management.

If your VPC is located in a different Region from the IAM control plane Region, you must use Amazon Transit Gateway to allow access to the IAM interface VPC endpoint from a different Region.

Note

VPC peering connections can also route traffic between peered VPCs, but this method does not scale well with a large number of VPCs. Instead of VPC peering, we recommend Amazon Transit Gateway peering attachments which improve VPC and on-premises network management through a scalable central hub. For more information about VPC peering connections, see Work with VPC peering connections in the Amazon VPC Peering Guide.

To access an IAM interface VPC endpoint from a VPC in a different Region using Amazon Transit Gateway
  1. Create a transit gateway, or use an existing transit gateway to interconnect your virtual private clouds (VPCs). A transit gateway is required for each Region. For more information, see Create a transit gateway in the Amazon Transit Gateway Guide.

  2. Create transit gateway VPC attachments to connect each VPC to the transit gateway. For more information, see Create a transit gateway attachment to a VPC in the Amazon Transit Gateway Guide.

  3. Create a transit gateway VPC peering attachment to route traffic between peered VPCs. For more information, see Create a peering attachment in the Amazon Transit Gateway Guide.

Create a VPC endpoint for Amazon STS

To start using Amazon STS with your VPC, create an interface VPC endpoint for Amazon STS. For more information, see Access an Amazon service using an interface VPC endpoint in the Amazon VPC User Guide.

After you create the VPC endpoint, you must use the matching regional endpoint to send your Amazon STS requests. Amazon STS recommends that you use both the setRegion and setEndpoint methods to make calls to a Regional endpoint. You can use the setRegion method alone for manually enabled Regions, such as Asia Pacific (Hong Kong). In this case, the calls are directed to the STS Regional endpoint. To learn how to manually enable a Region, see Managing Amazon Regions in the Amazon Web Services General Reference. If you use the setRegion method alone for Regions enabled by default, the calls are directed to the global endpoint of https://sts.amazonaws.com.

When you use regional endpoints, Amazon STS calls other Amazon services using either public endpoints or private interface VPC endpoints, whichever are in use. For example, assume that you have created an interface VPC endpoint for Amazon STS and have already requested temporary credentials from Amazon STS from resources that are located in your VPC. In that case, these credentials begin flowing through the interface VPC endpoint by default. For more information about making Regional requests using Amazon STS, see Managing Amazon STS in an Amazon Web Services Region.