# Using Amazon CodeCommit with interface VPC endpoints
<a name="codecommit-and-interface-VPC"></a>

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a private connection between your VPC and CodeCommit. You can use this connection to enable CodeCommit to communicate with your resources on your VPC without going through the public internet.

Amazon VPC is an Amazon service that you can use to launch Amazon resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. With VPC endpoints, the routing between the VPC and Amazon services is handled by the Amazon network, and you can use IAM policies to control access to service resources.

To connect your VPC to CodeCommit, you define an *interface VPC endpoint* for CodeCommit. An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported Amazon service. The endpoint provides reliable, scalable connectivity to CodeCommit without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see [What Is Amazon VPC](https://docs.amazonaws.cn/vpc/latest/userguide/) in the *Amazon VPC User Guide*.

**Note**  
Other Amazon services that provide VPC support and integrate with CodeCommit, such as Amazon CodePipeline, might not support using Amazon VPC endpoints for that integration. For example, traffic between CodePipeline and CodeCommit cannot be restricted to the VPC subnet range. Services that do support integration, such as [Amazon Cloud9](setting-up-ide-c9.md), might require additional services such as Amazon Systems Manager.

 Interface VPC endpoints are powered by Amazon PrivateLink, an Amazon technology that enables private communication between Amazon services using an elastic network interface with private IP addresses. For more information, see [Amazon PrivateLink](https://aws.amazon.com/privatelink/).

The following steps are for users of Amazon VPC. For more information, see [Getting Started](https://docs.amazonaws.cn/vpc/latest/userguide/GetStarted.html) in the *Amazon VPC User Guide*.

## Availability
<a name="codecommit-interface-VPC-availability"></a>

CodeCommit currently supports VPC endpoints in the following Amazon Web Services Regions:
+ US East (Ohio) 
+ US East (N. Virginia)
+ US West (N. California)
+ US West (Oregon)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ Europe (Frankfurt)
+ Europe (Stockholm)
+ Europe (Milan)
+ Africa (Cape Town)
+ Israel (Tel Aviv)
+ Asia Pacific (Tokyo)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Jakarta)
+ Middle East (UAE)
+ Asia Pacific (Seoul)
+ Asia Pacific (Osaka)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Hong Kong)
+ South America (São Paulo)
+ Middle East (Bahrain)
+ Canada (Central)
+ China (Beijing)
+ China (Ningxia)
+ Amazon GovCloud (US-West)
+ Amazon GovCloud (US-East)

## Create VPC endpoints for CodeCommit
<a name="create-vpc-endpoint-for-codecommit"></a>

To start using CodeCommit with your VPC, create an interface VPC endpoint for CodeCommit. CodeCommit requires separate endpoints for Git operations and for CodeCommit API operations. Depending on your business needs, you might need to create more than one VPC endpoint. When you create a VPC endpoint for CodeCommit, choose **Amazon Services**, and in **Service Name**, choose from the following options:
+ **com.amazonaws.*region*.git-codecommit**: Choose this option if you want to create a VPC endpoint for Git operations with CodeCommit repositories. For example, choose this option if your users use a Git client and commands such as `git pull`, `git commit`, and `git push` when they interact with CodeCommit repositories.
+ **com.amazonaws.*region*.git-codecommit-fips**: Choose this option if you want to create a VPC endpoint for Git operations with CodeCommit repositories that complies with the Federal Information Processing Standard (FIPS) Publication 140-2 US government standard.
**Note**  
FIPS endpoints for Git are not available in all Amazon Regions. For more information, see [Git connection endpoints](regions.md#regions-git).
+ **com.amazonaws.*region*.codecommit**: Choose this option if you want to create a VPC endpoint for CodeCommit API operations. For example, choose this option if your users use the Amazon CLI, the CodeCommit API, or the Amazon SDKs to interact with CodeCommit for operations such as `CreateRepository`, `ListRepositories`, and `PutFile`.
+ **com.amazonaws.*region*.codecommit-fips**: Choose this option if you want to create a VPC endpoint for CodeCommit API operations that complies with the Federal Information Processing Standard (FIPS) Publication 140-2 US government standard.
**Note**  
FIPS endpoints are not available in all Amazon Regions. For more information, see the entry for Amazon CodeCommit in [Federal Information Processing Standard (FIPS) 140-2 Overview](https://aws.amazon.com/compliance/fips/).

## Create a VPC endpoint policy for CodeCommit
<a name="create-vpc-endpoint-policy-for-codecommit"></a>

You can create a policy for Amazon VPC endpoints for CodeCommit in which you can specify:
+ The principal that can perform actions.
+ The actions that can be performed.
+ The resources that can have actions performed on them.

For example, a company might want to restrict access to repositories to the network address range for a VPC. You can view an example of this kind of policy here: [Example 3: Allow a user connecting from a specified IP address range access to a repository](customer-managed-policies.md#identity-based-policies-example-3). The company configured two Git VPC endpoints for the US East (Ohio) region: `com.amazonaws.us-east-2.codecommit` and `com-amazonaws.us-east-2.git-codecommit-fips`. They want to allow code pushes to a CodeCommit repository named *MyDemoRepo* only on the FIPS-compliant endpoint only. To enforce this, they would configure a policy similar to the following on the `com.amazonaws.us-east-2.codecommit` endpoint that specifically denies Git push actions:

```
{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        },
        {
            "Action": "codecommit:GitPush",
            "Effect": "Deny",
            "Resource": "arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo",
            "Principal": "*"
        }
    ]
}
```

**Important**  
The global condition key `aws:VpcSourceIp` is not supported CodeCommit repositories in IAM policies for `git push` commands.

For more information, see [Creating an Interface Endpoint](https://docs.amazonaws.cn/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint.html) in the *Amazon VPC User Guide*.