Amazon FSx for Lustre and interface VPC endpoints (Amazon PrivateLink)
You can improve the security posture of your VPC by configuring Amazon FSx to use an interface VPC endpoint.
Interface VPC endpoints are powered by Amazon PrivateLink
Each interface VPC endpoint is represented by one or more elastic network interfaces in your subnets. A network interface provides a private IP address that serves as an entry point for traffic to the Amazon FSx API.
Considerations for Amazon FSx interface VPC endpoints
Before you set up an interface VPC endpoint for Amazon FSx, be sure to review Interface VPC endpoint properties and limitations in the Amazon VPC User Guide.
You can call any of the Amazon FSx API operations from your VPC. For example, you can create an FSx for Lustre file system by calling the CreateFileSystem API from within your VPC. For the full list of Amazon FSx APIs, see Actions in the Amazon FSx API Reference.
VPC peering considerations
You can connect other VPCs to the VPC with interface VPC endpoints using VPC peering. VPC peering is a networking connection between two VPCs. You can establish a VPC peering connection between your own two VPCs, or with a VPC in another Amazon Web Services account. The VPCs can also be in two different Amazon Web Services Regions.
Traffic between peered VPCs stays on the Amazon network and does not traverse the public internet. Once VPCs are peered, resources like Amazon Elastic Compute Cloud (Amazon EC2) instances in both VPCs can access the Amazon FSx API through interface VPC endpoints created in the one of the VPCs.
Creating an interface VPC endpoint for Amazon FSx API
You can create a VPC endpoint for the Amazon FSx API using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface VPC endpoint in the Amazon VPC User Guide.
For a complete list of Amazon FSx endpoints, see Amazon FSx endpoints and quotas in the Amazon Web Services General Reference.
To create an interface VPC endpoint for Amazon FSx, use one of the following:
-
com.amazonaws.
– Creates an endpoint for Amazon FSx API operations.region
.fsx -
com.amazonaws.
– Creates an endpoint for the Amazon FSx API that complies with Federal Information Processing Standard (FIPS) 140-2region
.fsx-fips.
To use the private DNS option, you must set the enableDnsHostnames
and enableDnsSupport
attributes
of your VPC. For more information, see
Viewing and updating DNS support for your VPC in the Amazon VPC User Guide.
Excluding Amazon Web Services Regions in China, if you enable private DNS for the endpoint, you can make API requests
to Amazon FSx with the VPC endpoint using its default DNS name for the Amazon Web Services Region, for example fsx.us-east-1.amazonaws.com
.
For the China (Beijing) and China (Ningxia) Amazon Web Services Regions, you can make API requests with the VPC endpoint
using fsx-api.cn-north-1.amazonaws.com.cn
and fsx-api.cn-northwest-1.amazonaws.com.cn
, respectively.
For more information, see Accessing a service through an interface VPC endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon FSx
To further control access to the Amazon FSx API, you can optionally attach an Amazon Identity and Access Management (IAM) policy to your VPC endpoint. The policy specifies the following:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.