# Amazon Directory Service API and interface Amazon VPC endpoints using Amazon PrivateLink
<a name="vpc-interface-endpoints"></a>

 You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Directory Service and Directory Service Data APIs. This allows you to access Amazon Directory Service and Directory Service Data APIs like they were in your VPC and without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your Amazon VPC don't require public IP addresses to access Amazon Directory Service and Directory Service Data APIs. 

 To establish a private connection, you create an interface Amazon VPC endpoint that Amazon PrivateLink powers. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces, which serve as the entry point for traffic that's destined for Amazon Directory Service and Amazon Directory Service Data. 

 For more information, see [Access Amazon Web Services services through Amazon PrivateLink](https://docs.amazonaws.cn/vpc/latest/privatelink/privatelink-access-aws-services.html) in the *Amazon PrivateLink Guide*. 

## Considerations for Amazon Directory Service and Directory Service Data
<a name="vpc-endpoint-considerations"></a>

 With Amazon Directory Service and Directory Service Data, you can call API actions through interface endpoints. For information about the prerequisites you will need to consider before creating an interface endpoint, see [Access an Amazon Web Services service using an interface Amazon VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *Amazon PrivateLink Guide*. 

## Amazon Directory Service and Directory Service Data Availability
<a name="vpc-endpoint-availability"></a>

 Amazon Directory Service and Directory Service Data supports interface endpoints in all Amazon Web Services Regions where it's available. For information about the Amazon Web Services Regions that support Amazon Directory Service and Directory Service Data, see [Region availability for Amazon Directory Service](https://docs.amazonaws.cn/directoryservice/latest/admin-guide/regions.html). 

## Create an interface Amazon VPC endpoint for Amazon Directory Service and Directory Service Data
<a name="vpc-endpoint-create"></a>

 You can create an interface endpoint for Amazon Directory Service and Directory Service Data APIs using the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). 

**Example: Amazon Directory Service**  
 Create an interface endpoint for Amazon Directory Service APIs using the following service name: 

```
com.amazonaws.region.ds
```

**Example: Directory Service Data**  
 Create an interface endpoint for Directory Service Data APIs using the following service name: 

```
com.amazonaws.region.ds-data
```

 For more information about creating an interface endpoint, see [Access an Amazon Web Services service using an interface Amazon VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html#considerations-interface-endpoints) in the *Amazon PrivateLink Guide*. 

## Create a Amazon VPC endpoint policy for your interface Amazon VPC endpoint
<a name="vpc-endpoint-policy"></a>

 An endpoint policy is an IAM resource policy that you attach to an interface endpoint. 

**Note**  
 If you don't attach an endpoint policy to your interface endpoint, Amazon PrivateLink attaches a default endpoint policy to your interface endpoint on your behalf. For more information, see [Amazon PrivateLink concepts](https://docs.amazonaws.cn/vpc/latest/privatelink/concepts.html). 

An endpoint policy specifies the following information:
+  The principals (Amazon Web Services accounts, IAM users, and IAM roles) that can perform actions 
+  The actions that can be performed 
+  The resources on which the actions can be performed 

 For more information, see [Control access to services using endpoint policies](https://docs.amazonaws.cn/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon PrivateLink Guide*. 

 You can control access to APIs from your Amazon VPC by attaching a custom endpoint policy to your interface endpoint. 

**Example: Amazon VPC endpoint policy for Amazon Directory Service API actions**  
 The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Amazon Directory Service actions for all principals on all resources. 

 Replace *action-1*, *action-2*, and *action-3* with the required permissions for the Amazon Directory Service APIs that you want to include in your policy. For a full list, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). 

```
{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "ds:action-1",
            "ds:action-2",
            "ds:action-3"
         ],
         "Resource":"*"
      }
   ]
}
```

**Example: Amazon VPC endpoint policy for Directory Service Data API actions**  
 The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed Directory Service Data actions for all principals on all resources. 

 Replace *action-1*, *action-2*, and *action-3* with the required permissions for the Directory Service Data APIs that you want to include in your policy. For a full list, see [Amazon Directory Service API permissions: Actions, resources, and conditions reference](UsingWithDS_IAM_ResourcePermissions.md). 

```
{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "ds-data:action-1",
            "ds-data:action-2",
            "ds-data:action-3"
         ],
         "Resource":"*"
      }
   ]
}
```