Amazon Directory Service API and interface Amazon VPC endpoints using Amazon PrivateLink - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Directory Service API and interface Amazon VPC endpoints using Amazon PrivateLink

You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Directory Service and Directory Service Data APIs. This allows you to access Amazon Directory Service and Directory Service Data APIs like they were in your VPC and without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your Amazon VPC don't require public IP addresses to access Amazon Directory Service and Directory Service Data APIs.

To establish a private connection, you create an interface Amazon VPC endpoint that Amazon PrivateLink powers. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces, which serve as the entry point for traffic that's destined for Amazon Directory Service and Amazon Directory Service Data.

For more information, see Access Amazon Web Services services through Amazon PrivateLink in the Amazon PrivateLink Guide.

Considerations for Amazon Directory Service and Directory Service Data

With Amazon Directory Service and Directory Service Data, you can call API actions through interface endpoints. For information about the prerequisites you'll need to consider before creating an interface endpoint, see Access an Amazon Web Services service using an interface Amazon VPC endpoint in the Amazon PrivateLink Guide.

Amazon Directory Service and Directory Service Data Availability

Amazon Directory Service supports interface endpoints in the following Amazon Web Services Regions:

  • US East (N. Virginia)

  • Amazon GovCloud (US-East)

  • Amazon GovCloud (US-West)

Directory Service Data supports interface endpoints in all Amazon Web Services Regions where it's available. For information about the Amazon Web Services Regions that support Amazon Directory Service and Directory Service Data, see Region availability for Amazon Directory Service.

Create an interface Amazon VPC endpoint for Amazon Directory Service and Directory Service Data

You can create an interface endpoint for Amazon Directory Service and Directory Service Data APIs using the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI).

Example: Amazon Directory Service

Create an interface endpoint for Amazon Directory Service APIs using the following service name:

com.amazonaws.region.ds
Example: Directory Service Data

Create an interface endpoint for Directory Service Data APIs using the following service name:

com.amazonaws.region.ds-data

For more information about creating an interface endpoint, see Access an Amazon Web Services service using an interface Amazon VPC endpoint in the Amazon PrivateLink Guide.

Create a Amazon VPC endpoint policy for your interface Amazon VPC endpoint

An endpoint policy is an IAM resource policy that you attach to an interface endpoint.

Note

If you don't attach an endpoint policy to your interface endpoint, Amazon PrivateLink attaches a default endpoint policy to your interface endpoint on your behalf. For more information, see Amazon PrivateLink concepts.

An endpoint policy specifies the following information:

  • The principals (Amazon Web Services accounts, IAM users, and IAM roles) that can perform actions

  • The actions that can be performed

  • The resources on which the actions can be performed

For more information, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

You can control access to APIs from your Amazon VPC by attaching a custom endpoint policy to your interface endpoint.

Example: Amazon VPC endpoint policy for Amazon Directory Service API actions

The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Amazon Directory Service actions for all principals on all resources.

Replace action-1, action-2, and action-3 with the required permissions for the Amazon Directory Service APIs that you want to include in your policy. For a full list, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "ds:action-1", "ds:action-2", "ds:action-3" ], "Resource":"*" } ] }
Example: Amazon VPC endpoint policy for Directory Service Data API actions

The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Directory Service Data actions for all principals on all resources.

Replace action-1, action-2, and action-3 with the required permissions for the Directory Service Data APIs that you want to include in your policy. For a full list, see Amazon Directory Service API permissions: Actions, resources, and conditions reference.

{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "ds-data:action-1", "ds-data:action-2", "ds-data:action-3" ], "Resource":"*" } ] }