Use CodeDeploy with Amazon Virtual Private Cloud - Amazon CodeDeploy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Use CodeDeploy with Amazon Virtual Private Cloud

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a private connection between your VPC and CodeDeploy. You can use this connection to enable CodeDeploy to communicate with your resources on your VPC without going through the public internet.

Amazon VPC is an Amazon service that you can use to launch Amazon resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways. With VPC endpoints, the routing between the VPC and Amazon services is handled by the Amazon network, and you can use IAM policies to control access to service resources.

To connect your VPC to CodeDeploy, you define an interface VPC endpoint for CodeDeploy. An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported Amazon service. The endpoint provides reliable, scalable connectivity to CodeDeploy without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see What Is Amazon VPC in the Amazon VPC User Guide.

Interface VPC endpoints are powered by Amazon PrivateLink, an Amazon technology that enables private communication between Amazon services using an elastic network interface with private IP addresses. For more information, see Amazon PrivateLink.

The following steps are for users of Amazon VPC. For more information, see Getting Started in the Amazon VPC User Guide.

Availability

CodeDeploy has two VPC endpoints: one for CodeDeploy agent operations, and one for CodeDeploy API operations. The table below shows the supported Amazon Regions for each endpoint.

Region code Region name Agent endpoint API endpoint

us-east-1

US East (N. Virginia)

Yes

Yes

us-east-2

US East (Ohio)

Yes

Yes

us-gov-east-1

Amazon GovCloud (US-East)

No

No

us-gov-west-1

Amazon GovCloud (US-West)

No

No

us-west-1

US West (N. California)

Yes

Yes

us-west-2

US West (Oregon)

Yes

Yes

af-south-1

Africa (Cape Town)

Yes

No

ap-east-1

Asia Pacific (Hong Kong)

Yes

Yes

ap-northeast-1

Asia Pacific (Tokyo)

Yes

Yes

ap-northeast-2

Asia Pacific (Seoul)

Yes

Yes

ap-northeast-3

Asia Pacific (Osaka)

Yes

No

ap-south-1

Asia Pacific (Mumbai)

Yes

Yes

ap-southeast-1

Asia Pacific (Singapore)

Yes

Yes

ap-southeast-2

Asia Pacific (Sydney)

Yes

Yes

ap-southeast-3

Asia Pacific (Jakarta)

No

No

ca-central-1

Canada (Central)

Yes

Yes

eu-central-1

Europe (Frankfurt)

Yes

Yes

eu-north-1

Europe (Stockholm)

Yes

Yes

eu-west-1

Europe (Ireland)

Yes

Yes

eu-west-2

Europe (London)

Yes

Yes

eu-west-3

Europe (Paris)

Yes

Yes

eu-south-1

Europe (Milan)

Yes

No

me-south-1

Middle East (Bahrain)

Yes

Yes

sa-east-1

South America (São Paulo)

Yes

Yes

cn-north-1

China (Beijing)

Yes

No

cn-northwest-1

China (Ningxia)

Yes

No

Create VPC endpoints for CodeDeploy

To start using CodeDeploy with your VPC, create an interface VPC endpoint for CodeDeploy. CodeDeploy requires separate endpoints for agent Git operations and for CodeDeploy API operations. Depending on your business needs, you might need to create more than one VPC endpoint. When you create a VPC endpoint for CodeDeploy, choose Amazon Services, and in Service Name, choose from the following options:

  • com.amazonaws.region.codedeploy: Choose this option if you want to create a VPC endpoint for CodeDeploy API operations. For example, choose this option if your users use the Amazon CLI, the CodeDeploy API, or the Amazon SDKs to interact with CodeDeploy for operations such as CreateApplication, GetDeployment, and ListDeploymentGroups.

  • com.amazonaws.region.codedeploy-commands-secure: Choose this option if you want to create a VPC endpoint for CodeDeploy agent operations. You will also need to set :enable_auth_policy: to true in your agent configuration file and attach the required permissions. For more information, see Configure the CodeDeploy agent and IAM permissions.

If you are using Lambda or ECS deployments, you only need to create a VPC endpoint for com.amazonaws.region.codedeploy. Customers using Amazon EC2 deployments will need VPC endpoints for both com.amazonaws.region.codedeploy and com.amazonaws.region.codedeploy-commands-secure.

Configure the CodeDeploy agent and IAM permissions

To use Amazon VPC endpoints with CodeDeploy, you must set the value of :enable_auth_policy: to true in the agent configuration file located on your EC2 or on-premises instances. For more information on the agent configuration file, see CodeDeploy agent configuration reference.

You must also add the following IAM permissions to your Amazon EC2 instance profile or IAM user or role if you are using on-premises instances.

{ "Statement": [ { "Action": [ "codedeploy-commands-secure:GetDeploymentSpecification", "codedeploy-commands-secure:PollHostCommand", "codedeploy-commands-secure:PutHostCommandAcknowledgement", "codedeploy-commands-secure:PutHostCommandComplete" ], "Effect": "Allow", "Resource": "*" } ] }

For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide.