Access Amazon Cloud Map using an interface endpoint (Amazon PrivateLink)
You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Cloud Map. You can access Amazon Cloud Map as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access Amazon Cloud Map.
You establish this private connection by creating an interface endpoint, powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Amazon Cloud Map.
For more information, see Access Amazon Web Services services through Amazon PrivateLink in the Amazon PrivateLink Guide.
Considerations for Amazon Cloud Map
Before you set up an interface endpoint for Amazon Cloud Map, review Considerations in the Amazon PrivateLink Guide.
If your Amazon VPC doesn’t have an internet gateway and your tasks use the
awslogs
log driver to send log information to CloudWatch Logs, you must create an
interface VPC endpoint for CloudWatch Logs. For more information, see Using
CloudWatch Logs with Interface VPC Endpoints in the Amazon CloudWatch Logs User Guide.
VPC endpoints don’t support Amazon cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to issue your API calls to Amazon Cloud Map.
VPC endpoints only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the Amazon VPC User Guide.
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the Amazon VPC.
Create an interface endpoint for Amazon Cloud Map
You can create an interface endpoint for Amazon Cloud Map using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create an interface endpoint in the Amazon PrivateLink Guide.
Create an interface endpoint for Amazon Cloud Map using the following service names:
Note
DiscoverInstances
API won't be available over these two
endpoints.
com.amazonaws.
region
.servicediscovery
com.amazonaws.
region
.servicediscovery-fips
Create an interface endpoint for Amazon Cloud Map data plane to access the
DiscoverInstances
API using the following service names:
com.amazonaws.
region
.data-servicediscovery
com.amazonaws.
region
.data-servicediscovery-fips
Note
You'll need to disable host prefix injection when you call
DiscoverInstances
with the regional or zonal VPCE DNS names for
data plane endpoints. The Amazon CLI and Amazon SDKs prepend the service endpoint with
various host prefixes when you call each API operation, which produces invalid URLS
when you specify a VPC endpoint.
If you enable private DNS for the interface endpoint, you can make API requests to
Amazon Cloud Map using its default Regional DNS name. For example,
servicediscovery.us-east-1.amazonaws.com
.
VPCE Amazon PrivateLink connection is supported in any Region where Amazon Cloud Map is supported; however, a customer needs to check which Availability Zones support VPCE before defining an endpoint. To find out which Availability Zones are supported with interface VPC endpoints in a Region, use the describe-vpc-endpoint-services command or use the Amazon Web Services Management Console. For example, the following commands return the availability zones to which you can deploy an Amazon Cloud Map interface VPC endpoints within the US East (Ohio) Region:
aws --region
us-east-2
ec2 describe-vpc-endpoint-services --query 'ServiceDetails[?ServiceName==`com.amazonaws.us-east-2
.servicediscovery`].AvailabilityZones[]'