Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Lake Formation and interface VPC endpoints (Amazon PrivateLink)

Amazon VPC is an Amazon service that you can use to launch Amazon resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways.

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a private connection between your VPC and Lake Formation. You use this connection so that Lake Formation can communicate with the resources in your VPC without going through the public internet.

You can establish a private connection between your VPC and Amazon Lake Formation by creating an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology that enables you to privately access Lake Formation APIs without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Lake Formation APIs. Traffic between your VPC and Lake Formation does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Considerations for Lake Formation VPC endpoints

Before you set up an interface VPC endpoint for Lake Formation, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

Lake Formation supports making calls to all of its API actions from your VPC. You can use Lake Formation with VPC endpoints in all Amazon Web Services Regions that support both Lake Formation and Amazon VPC endpoints.

Creating an interface VPC endpoint for Lake Formation

You can create a VPC endpoint for the Lake Formation service using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for Lake Formation using the following service name:

If you enable private DNS for the endpoint, you can make API requests to Lake Formation using its default DNS name for the Region, for example, lakeformation.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Lake Formation

Lake Formation supports VPC endpoint policies. A VPC endpoint policy is an Amazon Identity and Access Management (IAM) resource policy that you attach to an endpoint when you create or modify the endpoint.

You can attach an endpoint policy to your VPC endpoint that controls access to Lake Formation. The policy specifies the following information:

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Lake Formation actions

The following example VPC endpoint policy for Lake Formation allows for credential vending using Lake Formation permissions. You might use this policy to run queries using Lake Formation permissions from an Amazon Redshift cluster or an Amazon EMR cluster located in a private subnet.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lakeformation:GetDataAccess",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

For more information, see these topics in the Amazon VPC documentation: