Amazon PrivateLink for DynamoDB Streams - Amazon DynamoDB
Considerations when using Amazon PrivateLink for Amazon DynamoDB StreamsCreating an Amazon VPC endpointAccessing Amazon DynamoDB Streams interface endpointsAccessing DynamoDB Streams API operations from DynamoDB Streams interface endpointsAmazon SDK examplesCreating an Amazon VPC endpoint policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon PrivateLink for DynamoDB Streams

With Amazon PrivateLink for Amazon DynamoDB Streams, you can provision interface Amazon VPC endpoints (interface endpoints) in your virtual private cloud (Amazon VPC). These endpoints are directly accessible from applications that are on premises over VPN and Amazon Direct Connect, or in a different Amazon Web Services Region over Amazon VPC peering. Using Amazon PrivateLink and interface endpoints, you can simplify private network connectivity from your applications to DynamoDB Streams.

Applications in your Amazon VPC do not need public IP addresses to communicate with DynamoDB Streams using Amazon VPC interface endpoints for DynamoDB Streams operations. Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your Amazon VPC. Requests to DynamoDB Streams over interface endpoints stay on the Amazon network. You can also access interface endpoints in your Amazon VPC from on-premises applications through Amazon Direct Connect or Amazon Virtual Private Network (Amazon VPN). For more information about how to connect your Amazon Virtual Private Network with your on-premises network, see the Amazon Direct Connect User Guide and the Amazon Site-to-Site VPN User Guide.

For general information about interface endpoints, see Interface Amazon VPC endpoints (Amazon PrivateLink).

Note

Only interface endpoints are supported for DynamoDB Streams. Gateway endpoints aren't supported.

Amazon VPC considerations apply to Amazon PrivateLink for Amazon DynamoDB Streams. For more information, see interface endpoint considerations and Amazon PrivateLink quotas. The following restrictions apply.

Amazon PrivateLink for Amazon DynamoDB Streams doesn't support the following:

  • Transport Layer Security (TLS) 1.1

  • Private and Hybrid Domain Name System (DNS) services

Note

Network connectivity timeouts to Amazon PrivateLink endpoints are not within the scope of DynamoDB Streams error responses and need to be appropriately handled by your applications connecting to the Amazon PrivateLink endpoints.

To create an Amazon VPC interface endpoint, see Create an Amazon VPC endpoint in the Amazon PrivateLink Guide.

When you create an interface endpoint, DynamoDB generates two types of endpoint-specific, DynamoDB Streams DNS names: Regional and Zonal.

  • A Regional DNS name includes a unique Amazon VPC endpoint ID, a service identifier, the Amazon Web Services Region, and vpce.amazonaws.com in its name. For example, for Amazon VPC endpoint ID vpce-1a2b3c4d, the DNS name generated might be similar to vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com.

  • A Zonal DNS name includes the Availability Zone—for example, vpce-1a2b3c4d-5e6f-us-east-1a.streams.dynamodb.us-east-1.vpce.amazonaws.com. You might use this option if your architecture isolates Availability Zones. For example, you could use it for fault containment or to reduce Regional data transfer costs.

You can use the Amazon CLI or Amazon SDKs to access DynamoDB Streams API operations through DynamoDB Streams interface endpoints.

To access DynamoDB Streams or API operations through DynamoDB Streams interface endpoints in Amazon CLI commands, use the --region and --endpoint-url parameters.

Example: Create a VPC endpoint

aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name com.amazonaws.us-east-1.dynamodb-streams \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id

Example: Modify a VPC endpoint

aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-endpoint-id \
--policy-document policy-document \ #example optional parameter
--add-security-group-ids security-group-ids \ #example optional parameter 
# any additional parameters needed, see Privatelink documentation for more details

Example: List streams using an endpoint URL

In the following example, replace the Region us-east-1 and the DNS name of the VPC endpoint ID vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com with your own information.

aws dynamodbstreams --region us-east-1 —endpoint https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com list-streams

To access Amazon DynamoDB Streams API operations through DynamoDB Streams interface endpoints when using the Amazon SDKs, update your SDKs to the latest version. Then, configure your clients to use an endpoint URL for DynamoDB Streams API operation through DynamoDB Streams interface endpoints.

SDK for Python (Boto3)
Example: Use an endpoint URL to access a DynamoDB stream

In the following example, replace the Region us-east-1 and VPC endpoint ID https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com with your own information.

ddb_streams_client = session.client(
service_name='dynamodbstreams',
region_name='us-east-1',
endpoint_url='https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com'
)
SDK for Java 1.x
Example: Use an endpoint URL to access a DynamoDB stream

In the following example, replace the Region us-east-1 and VPC endpoint ID https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com with your own information.

//client build with endpoint config  
final AmazonDynamoDBStreams dynamodbstreams = AmazonDynamoDBStreamsClientBuilder.standard().withEndpointConfiguration(
        new AwsClientBuilder.EndpointConfiguration(
                "https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com",
                Regions.DEFAULT_REGION.getName()
        )
).build();
SDK for Java 2.x
Example: Use an endpoint URL to access DynamoDB stream

In the following example, replace the Region us-east-1 and VPC endpoint ID https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com with your own information.

Region region = Region.US_EAST_1;
dynamoDbStreamsClient = DynamoDbStreamsClient.builder().region(region)
.endpointOverride(URI.create("https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com"))
.build()

You can attach an endpoint policy to your Amazon VPC endpoint that controls access to DynamoDB Streams. The policy specifies the following information:

  • The Amazon Identity and Access Management (IAM) principal that can perform actions

  • The actions that can be performed

  • The resources on which actions can be performed

You can create an endpoint policy that restricts access to only specific DynamoDB Streams. This type of policy is useful if you have other Amazon Web Services services in your Amazon VPC that use DynamoDB Streams. The following stream policy restricts access to only the stream 2025-02-20T11:22:33.444 attached to DOC-EXAMPLE-TABLE. To use this endpoint policy, replace DOC-EXAMPLE-TABLE with the name of your table and 2025-02-20T11:22:33.444 with the stream label.

{
"Version": "2012-10-17",
  "Id": "Policy1216114807515",
  "Statement": [
    { "Sid": "Access-to-specific-stream-only",
      "Principal": "*",
      "Action": [
        "dynamodb:DescribeStream",
        "dynamodb:GetRecords"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:dynamodb:::DOC-EXAMPLE-TABLE/stream/2025-02-20T11:22:33.444"]
    }
  ]
}
Note

Gateway endpoints aren't supported in DynamoDB Streams.