Amazon Directory Service API and interface Amazon VPC endpoints using Amazon PrivateLink
You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Directory Service and Directory Service Data APIs. This allows you to access Amazon Directory Service and Directory Service Data APIs like they were in your VPC and without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your Amazon VPC don't require public IP addresses to access Amazon Directory Service and Directory Service Data APIs.
To establish a private connection, you create an interface Amazon VPC endpoint that Amazon PrivateLink powers. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces, which serve as the entry point for traffic that's destined for Amazon Directory Service and Amazon Directory Service Data.
For more information, see Access Amazon Web Services services through Amazon PrivateLink in the Amazon PrivateLink Guide.
Considerations for Amazon Directory Service and Directory Service Data
With Amazon Directory Service and Directory Service Data, you can call API actions through interface endpoints. For information about the prerequisites you'll need to consider before creating an interface endpoint, see Access an Amazon Web Services service using an interface Amazon VPC endpoint in the Amazon PrivateLink Guide.
Amazon Directory Service and Directory Service Data Availability
Amazon Directory Service supports interface endpoints in the following Amazon Web Services Regions:
-
US East (N. Virginia)
-
Amazon GovCloud (US-East)
-
Amazon GovCloud (US-West)
Directory Service Data supports interface endpoints in all Amazon Web Services Regions where it's available. For information about the Amazon Web Services Regions that support Amazon Directory Service and Directory Service Data, see Region availability for Amazon Directory Service.
Create an interface Amazon VPC endpoint for Amazon Directory Service and Directory Service Data
You can create an interface endpoint for Amazon Directory Service and Directory Service Data APIs using the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI).
Example: Amazon Directory Service
Create an interface endpoint for Amazon Directory Service APIs using the following service name:
com.amazonaws.
region
.ds
Example: Directory Service Data
Create an interface endpoint for Directory Service Data APIs using the following service name:
com.amazonaws.
region
.ds-data
For more information about creating an interface endpoint, see Access an Amazon Web Services service using an interface Amazon VPC endpoint in the Amazon PrivateLink Guide.
Create a Amazon VPC endpoint policy for your interface Amazon VPC endpoint
An endpoint policy is an IAM resource policy that you attach to an interface endpoint.
Note
If you don't attach an endpoint policy to your interface endpoint, Amazon PrivateLink attaches a default endpoint policy to your interface endpoint on your behalf. For more information, see Amazon PrivateLink concepts.
An endpoint policy specifies the following information:
-
The principals (Amazon Web Services accounts, IAM users, and IAM roles) that can perform actions
-
The actions that can be performed
-
The resources on which the actions can be performed
For more information, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.
You can control access to APIs from your Amazon VPC by attaching a custom endpoint policy to your interface endpoint.
Example: Amazon VPC endpoint policy for Amazon Directory Service API actions
The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Amazon Directory Service actions for all principals on all resources.
Replace action-1
, action-2
, and action-3
with the required permissions for the Amazon Directory Service APIs that you want to include in your policy.
For a full list, see Amazon Directory Service API permissions: Actions,
resources, and conditions reference.
{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "ds:
action-1
", "ds:action-2
", "ds:action-3
" ], "Resource":"*" } ] }
Example: Amazon VPC endpoint policy for Directory Service Data API actions
The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Directory Service Data actions for all principals on all resources.
Replace action-1
,
action-2
, and action-3
with the required permissions for the Directory Service Data APIs
that you want to include
in your policy.
For a full list,
see Amazon Directory Service API permissions: Actions,
resources, and conditions reference.
{ "Statement": [ { "Principal": "*", "Effect": "Allow", "Action": [ "ds-data:
action-1
", "ds-data:action-2
", "ds-data:action-3
" ], "Resource":"*" } ] }