Access Amazon OpenSearch Serverless using an interface endpoint (Amazon PrivateLink)
You can use Amazon PrivateLink to create a private connection between your VPC and Amazon OpenSearch Serverless. You can access OpenSearch Serverless as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access OpenSearch Serverless.
You establish this private connection by creating an interface endpoint, powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you specify for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for OpenSearch Serverless.
For more information, see Access Amazon Web Services through Amazon PrivateLink in the Amazon PrivateLink Guide.
Topics
DNS resolution of collection endpoints
When you create a VPC endpoint, the service creates a new Amazon Route 53 private hosted zone and attaches it to the VPC. This private hosted zone
consists of a record to resolve the wildcard DNS record for OpenSearch Serverless collections
(*.aoss.us-east-1.amazonaws.com) to the interface addresses used for
the endpoint. You only need one OpenSearch Serverless VPC endpoint in a VPC to access any and all
collections and Dashboards in each Amazon Web Services Region. Every VPC with an endpoint for OpenSearch Serverless
has its own private hosted zone attached.
OpenSearch Serverless also creates a public Route 53 wildcard DNS record for all collections in the
Region. The DNS name resolves to the OpenSearch Serverless public IP addresses. Clients
in VPCs that don't have an OpenSearch Serverless VPC endpoint or clients in public networks can use the
public Route 53 resolver and access the collections and Dashboards with those IP addresses.
The IP address type (IPv4, IPv6, or Dualstack) of VPC endpoint is determined based on
the subnets provided when you Create an interface endpoint for OpenSearch Serverless
Note
You can update your existing IPv4 VPC endpoint to Dualstack by using the update-vpc-endpoint
The DNS resolver address for a given VPC is the second IP address of the VPC CIDR. Any client in the VPC needs to use that resolver to get the VPC endpoint address for any collection. The resolver uses private hosted zone created by OpenSearch Serverless. It's sufficient to use that resolver for all collections in any account. It's also possible to use the VPC resolver for some collection endpoints and the public resolver for others, although it's not typically necessary.
VPCs and network access policies
To grant network permission to OpenSearch APIs and Dashboards for your collections, you can use OpenSearch Serverless network access policies. You can control this network access either from your VPC endpoint(s) or the public internet. Since your network policy only controls traffic permissions, you must also set up a data access policy that specifies permission to operate on the data in a collection and its indices. Think of an OpenSearch Serverless VPC endpoint as an access point to the service, a network access policy as the network-level access point to collections and Dashboards, and a data access policy as the access point for fine-grained access control for any operation on data in the collection.
Since you can specify multiple VPC endpoint IDs in a network policy, we recommend that you create a VPC endpoint for every VPC that needs to access a collection. These VPCs can belong to different Amazon accounts than the account that owns the OpenSearch Serverless collection and network policy. We don’t recommend that you create a VPC-to-VPC peering or other proxying solution between two accounts so that one account's VPC can use another account's VPC endpoint. This is less secure and cost effective than each VPC having its own endpoint. The first VPC will not be easily visible to the other VPC’s admin, who has set up access to that VPC's endpoint in the network policy.
VPCs and endpoint policies
Amazon OpenSearch Serverless supports endpoint policies for VPCs. An endpoint policy is an IAM
resource-based policy that you attach to a VPC endpoint to control which Amazon
principals can use the endpoint to access your Amazon service. For more information, see
Control access to VPC endpoints using endpoint policies
To use an endpoint policy, you must first create an interface endpoint. You can create
an interface endpoint using either the OpenSearch Serverless console or the OpenSearch Serverless API. After you
create your interface endpoint, you will need to add the endpoint policy to the
endpoint. For more information, see Access Amazon OpenSearch Serverless using an interface endpoint (Amazon PrivateLink)
Note
You can't define an endpoint policy directly in the OpenSearch Service console.
An endpoint policy does not override or replace other identity-based policies,
resource-based policies, network policies, or data access policies you may have
configured. For more information on updating endpoint policies, see Control access to VPC endpoints using endpoint policies
By default, an endpoint policy grants full access to your VPC endpoint.
{ "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*" } ] }
Although the default VPC endpoint policy grants full endpoint access, you can configure a VPC endpoint policy to allow access to specific roles and users. To do this, see the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "123456789012", "987654321098" ] }, "Action": "*", "Resource": "*" } ] }
You can specify an OpenSearch Serverless collection to be included as a conditional element in your VPC endpoint policy. To do this, see the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:CollectionName": [ "coll-abc" ] } } } ] }
You can use SAML identities in your VPC endpoint policy to determine VPC endpoint
access. You must use a wildcard (*) in the principal section of your VPC
endpoint policy. To do this, see the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:SamlGroups": [ "saml/123456789012/idp123/group/football", "saml/123456789012/idp123/group/soccer", "saml/123456789012/idp123/group/cricket" ] } } } ] }
Additionally, you can configure your endpoint policy to include a specific SAML principal policy. To do this, see the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "aws:SamlPrincipal": [ "saml/123456789012/idp123/user/user1234"] } } } ] }
For more information on using SAML authentication with Amazon OpenSearch Serverless, see SAML authentication for Amazon OpenSearch Serverless
You can also include IAM and SAML users in the same VPC endpoint policy. To do this, see the following example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:SamlGroups": [ "saml/123456789012/idp123/group/football", "saml/123456789012/idp123/group/soccer", "saml/123456789012/idp123/group/cricket" ] } } }, { "Effect": "Allow", "Principal": { "AWS": [ "123456789012" ] }, "Action": "*", "Resource": "*" } ] }
Considerations
Before you set up an interface endpoint for OpenSearch Serverless, consider the following:
-
OpenSearch Serverless supports making calls to all supported OpenSearch API operations (not configuration API operations) through the interface endpoint.
-
After you create an interface endpoint for OpenSearch Serverless, you still need to include it in network access policies in order for it to access serverless collections.
-
By default, full access to OpenSearch Serverless is allowed through the interface endpoint. You can associate a security group with the endpoint network interfaces to control traffic to OpenSearch Serverless through the interface endpoint.
-
A single Amazon Web Services account can have a maximum of 50 OpenSearch Serverless VPC endpoints.
-
If you enable public internet access to your collection’s API or Dashboards in a network policy, your collection is accessible by any VPC and by the public internet.
-
If you're on-premises and outside of the VPC, you can't use a DNS resolver for the OpenSearch Serverless VPC endpoint resolution directly. If you need VPN access, the VPC needs a DNS proxy resolver for external clients to use. Route 53 provides an inbound endpoint option that you can use to resolve DNS queries to your VPC from your on-premises network or another VPC.
-
The private hosted zone that OpenSearch Serverless creates and attaches to the VPC is managed by the service, but it shows up in your Amazon Route 53 resources and is billed to your account.
-
For other considerations, see Considerations in the Amazon PrivateLink Guide.
Permissions required
VPC access for OpenSearch Serverless uses the following Amazon Identity and Access Management (IAM) permissions. You can specify IAM conditions to restrict users to specific collections.
-
aoss:CreateVpcEndpoint– Create a VPC endpoint. -
aoss:ListVpcEndpoints– List all VPC endpoints. -
aoss:BatchGetVpcEndpoint– See details about a subset of VPC endpoints. -
aoss:UpdateVpcEndpoint– Modify a VPC endpoint. -
aoss:DeleteVpcEndpoint– Delete a VPC endpoint.
In addition, you need the following Amazon EC2 and Route 53 permissions in order to create a VPC endpoint.
-
ec2:CreateTags -
ec2:CreateVpcEndpoint -
ec2:DeleteVpcEndPoints -
ec2:DescribeSecurityGroups -
ec2:DescribeSubnets -
ec2:DescribeVpcEndpoints -
ec2:DescribeVpcs -
ec2:ModifyVpcEndPoint -
route53:AssociateVPCWithHostedZone -
route53:ChangeResourceRecordSets -
route53:CreateHostedZone -
route53:DeleteHostedZone -
route53:GetChange -
route53:GetHostedZone -
route53:ListHostedZonesByName -
route53:ListHostedZonesByVPC -
route53:ListResourceRecordSets
Create an interface endpoint for OpenSearch Serverless
You can create an interface endpoint for OpenSearch Serverless using either the console or the OpenSearch Serverless API.
To create an interface endpoint for an OpenSearch Serverless collection
-
Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home
. -
In the left navigation pane, expand Serverless and choose VPC endpoints.
-
Choose Create VPC endpoint.
-
Provide a name for the endpoint.
-
For VPC, select the VPC that you'll access OpenSearch Serverless from.
-
For Subnets, select one subnet that you'll access OpenSearch Serverless from.
-
Endpoint's IP address and DNS type is based on subnet type
-
Dualstack: If all subnets have both IPv4 and IPv6 address ranges
-
IPv6: If all subnets are IPv6 only subnets
-
IPv4: If all subnets have IPv4 address ranges
-
-
-
For Security groups, select the security groups to associate with the endpoint network interfaces. This is a critical step where you limit the ports, protocols, and sources for inbound traffic that you’re authorizing into your endpoint. Make sure that the security group rules allow the resources that will use the VPC endpoint to communicate with OpenSearch Serverless to communicate with the endpoint network interface.
-
Choose Create endpoint.
To create a VPC endpoint using the OpenSearch Serverless API, use the CreateVpcEndpoint
command.
Note
After you create an endpoint, note its ID (for example,
vpce-050f79086ee71ac05. In order to provide the endpoint access to
your collections, you must include this ID in one or more network access policies.
Next step: Grant the endpoint access to a collection
After you create an interface endpoint, you must provide it access to collections through network access policies. For more information, see Network access for Amazon OpenSearch Serverless.