Amazon FSx for Lustre and interface VPC endpoints (Amazon PrivateLink) - FSx for Lustre
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon FSx for Lustre and interface VPC endpoints (Amazon PrivateLink)

You can improve the security posture of your VPC by configuring Amazon FSx to use an interface VPC endpoint. Interface VPC endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Amazon FSx APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon FSx APIs. Traffic between your VPC and Amazon FSx does not leave the Amazon network.

Each interface VPC endpoint is represented by one or more elastic network interfaces in your subnets. A network interface provides a private IP address that serves as an entry point for traffic to the Amazon FSx API.

Before you set up an interface VPC endpoint for Amazon FSx, be sure to review Interface VPC endpoint properties and limitations in the Amazon VPC User Guide.

You can call any of the Amazon FSx API operations from your VPC. For example, you can create an FSx for Lustre file system by calling the CreateFileSystem API from within your VPC. For the full list of Amazon FSx APIs, see Actions in the Amazon FSx API Reference.

You can connect other VPCs to the VPC with interface VPC endpoints using VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your own two VPCs, or with a VPC in another Amazon Web Services account. The VPCs can also be in two different Amazon Web Services Regions.

Traffic between peered VPCs stays on the Amazon network and does not traverse the public internet. Once VPCs are peered, resources like Amazon Elastic Compute Cloud (Amazon EC2) instances in both VPCs can access the Amazon FSx API through interface VPC endpoints created in the one of the VPCs.

Creating an interface VPC endpoint for Amazon FSx API

You can create a VPC endpoint for the Amazon FSx API using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface VPC endpoint in the Amazon VPC User Guide.

For a complete list of Amazon FSx endpoints, see Amazon FSx endpoints and quotas in the Amazon Web Services General Reference.

To create an interface VPC endpoint for Amazon FSx, use one of the following:

To use the private DNS option, you must set the enableDnsHostnames and enableDnsSupport attributes of your VPC. For more information, see Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.

Excluding Amazon Web Services Regions in China, if you enable private DNS for the endpoint, you can make API requests to Amazon FSx with the VPC endpoint using its default DNS name for the Amazon Web Services Region, for example fsx.us-east-1.amazonaws.com. For the China (Beijing) and China (Ningxia) Amazon Web Services Regions, you can make API requests with the VPC endpoint using fsx-api.cn-north-1.amazonaws.com.cn and fsx-api.cn-northwest-1.amazonaws.com.cn, respectively.

For more information, see Accessing a service through an interface VPC endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon FSx

To further control access to the Amazon FSx API, you can optionally attach an Amazon Identity and Access Management (IAM) policy to your VPC endpoint. The policy specifies the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.