Amazon PrivateLink for Amazon Organizations - Amazon Organizations
Limitations and restrictions of Amazon PrivateLink for Amazon OrganizationsCreating a VPC endpointCreating a VPC endpoint policy for Amazon Organizations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon PrivateLink for Amazon Organizations

With Amazon PrivateLink for Amazon Organizations, you can access the Amazon Organizations service from within the Virtual Private Cloud (VPC) without having to cross the public internet.

Amazon VPC lets you launch Amazon resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see the Amazon VPC User Guide.

To connect your Amazon VPC to Amazon Organizations, you must first define an interface VPC endpoint (interface endpoints). Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests from your VPC to Amazon Organizations over interface endpoints stay on the Amazon network.

For general information about interface endpoints, see Access an Amazon service using an interface VPC endpoint in the Amazon VPC User Guide.

VPC limitations apply to Amazon PrivateLink for Amazon Organizations. For more information, see Access an Amazon service using an interface VPC endpoint and Amazon PrivateLink quotas in the Amazon VPC User Guide. In addition, the following restrictions apply:

  • Only available in the us-east-1 region

  • Doesn’t support Transport Layer Security (TLS) 1.1

Creating a VPC endpoint

You can create an Amazon Organizations endpoint in your VPC using the Amazon VPC Console, the Amazon Command Line Interface (Amazon CLI) or Amazon CloudFormation.

For information about creating and configuring an endpoint using the Amazon VPC console or the Amazon CLI, see Create a VPC endpoint in the Amazon VPC User Guide. For information about creating and configuring an endpoint using Amazon CloudFormation, see the AWS::EC2::VPCEndpoint resource in the Amazon CloudFormation User Guide.

When you create an Amazon Organizations endpoint, use the following as the service name:

com.amazonaws.us-east-1.organizations

If you require FIPS 140-2 validated cryptographic modules when accessing Amazon, use the following Amazon Organizations FIPS service name:

com.amazonaws.us-east-1.organizations-fips

Creating a VPC endpoint policy for Amazon Organizations

You can attach an endpoint policy to your VPC endpoint that controls access to Organizations. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Control access to VPC endpoints using endpoint policies in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon Organizations actions

{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "Organizations:DescribeAccount"
         ],
         "Resource":"*"
      }
   ]
}