Use CodePipeline with Amazon Virtual Private Cloud - Amazon CodePipeline
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use CodePipeline with Amazon Virtual Private Cloud

Amazon CodePipeline now supports Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by Amazon PrivateLink. This means you can connect directly to CodePipeline through a private endpoint in your VPC, keeping all traffic inside your VPC and the Amazon network.

Amazon VPC is an Amazon Web Service that you can use to launch Amazon resources in a virtual network that you define. With a VPC, you have control over your network settings, such as:

  • IP address range

  • Subnets

  • Route tables

  • Network gateways

Interface VPC endpoints are powered by Amazon PrivateLink, an Amazon technology that facilitates private communication between Amazon Web Services using an elastic network interface with private IP addresses. To connect your VPC to CodePipeline, you define an interface VPC endpoint for CodePipeline. This type of endpoint makes it possible for you to connect your VPC to Amazon Web Services. The endpoint provides reliable, scalable connectivity to CodePipeline without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For information about setting up a VPC, see the VPC User Guide.


CodePipeline currently supports VPC endpoints in the following Amazon Web Services Regions:

  • US East (Ohio)

  • US East (N. Virginia)

  • US West (N. California)

  • US West (Oregon)

  • Canada (Central)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Milan)*

  • Europe (Paris)

  • Europe (Stockholm)

  • Asia Pacific (Hong Kong)*

  • Asia Pacific (Mumbai)

  • Asia Pacific (Tokyo)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • South America (São Paulo)

  • Amazon GovCloud (US-West)

* You must enable this Region before you can use it.

Create a VPC endpoint for CodePipeline

You can use the Amazon VPC console to create the com.amazonaws.region.codepipeline VPC endpoint. In the console, region is the Region identifier for an Amazon Web Services Region supported by CodePipeline, such as us-west-2 for the US East (Ohio) Region. For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide.

The endpoint is prepopulated with the Region you specified when you signed in to Amazon. If you sign in to another Region, the VPC endpoint is updated with the new Region.


Other Amazon Web Services that provide VPC support and integrate with CodePipeline, such as CodeCommit, might not support using Amazon VPC endpoints for that integration. For example, traffic between CodePipeline and CodeCommit cannot be restricted to the VPC subnet range.

Troubleshooting your VPC setup

When troubleshooting VPC issues, use the information that appears in internet connectivity error messages to help you identify, diagnose, and address issues.

  1. Make sure that your internet gateway is attached to your VPC.

  2. Make sure that the route table for your public subnet points to the internet gateway.

  3. Make sure that your network ACLs allow traffic to flow.

  4. Make sure that your security groups allow traffic to flow.

  5. Make sure that the route table for private subnets points to the virtual private gateway.

  6. Make sure that the service role used by CodePipeline has the appropriate permissions. For example, if CodePipeline does not have the Amazon EC2 permissions required to work with an Amazon VPC, you might receive an error that says, "Unexpected EC2 error: UnauthorizedOperation."