Amazon Private CA VPC endpoints (Amazon PrivateLink)
You can create a private connection between your VPC and Amazon Private CA by configuring an interface VPC endpoint. Interface endpoints are powered by Amazon PrivateLink, a technology for privately accessing Amazon Private CA API operations. Amazon PrivateLink routes all network traffic between your VPC and Amazon Private CA through the Amazon network, avoiding exposure on the open internet. Each VPC endpoint is represented by one or more elastic network interfaces with private IP addresses in your VPC subnets.
The interface VPC endpoint connects your VPC directly to Amazon Private CA without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon Private CA API.
To use Amazon Private CA through your VPC, you must connect from an instance that is inside the VPC. Alternatively, you can connect your private network to your VPC by using an Amazon Virtual Private Network (Amazon VPN) or Amazon Direct Connect. For information about Amazon VPN, see VPN Connections in the Amazon VPC User Guide. For information about Amazon Direct Connect, see Creating a Connection in the Amazon Direct Connect User Guide.
Amazon Private CA does not require the use of Amazon PrivateLink, but we recommend it as an additional layer of security. For more information about Amazon PrivateLink and VPC endpoints, see Accessing Services Through Amazon PrivateLink.
Considerations for Amazon Private CA VPC endpoints
Before you set up interface VPC endpoints for Amazon Private CA, be aware of the following considerations:
-
Amazon Private CA might not support VPC endpoints in some Availability Zones. When you create a VPC endpoint, first check support in the management console. Unsupported Availability Zones are marked "Service not supported in this Availability Zone."
-
VPC endpoints do not support cross-Region requests. Ensure that you create your endpoint in the same Region where you plan to issue your API calls to Amazon Private CA.
-
VPC endpoints only support Amazon provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Options Sets in the Amazon VPC User Guide.
-
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the VPC.
Amazon Private CA API currently supports VPC endpoints in the following Amazon Web Services Regions:
-
US East (Ohio)
-
US East (N. Virginia)
-
US West (N. California)
-
US West (Oregon)
-
Africa (Cape Town)
-
Asia Pacific (Hong Kong)
-
Asia Pacific (Hyderabad)
-
Asia Pacific (Jakarta)
-
Asia Pacific (Melbourne)
-
Asia Pacific (Mumbai)
-
Asia Pacific (Osaka)
-
Asia Pacific (Seoul)
-
Asia Pacific (Singapore)
-
Asia Pacific (Sydney)
-
Asia Pacific (Tokyo)
-
Canada (Central)
-
Canada West (Calgary)
-
Europe (Frankfurt)
-
Europe (Ireland)
-
Europe (London)
-
Europe (Milan)
-
Europe (Paris)
-
Europe (Spain)
-
Europe (Stockholm)
-
Europe (Zurich)
-
Israel (Tel Aviv)
-
Middle East (Bahrain)
-
Middle East (UAE)
-
South America (São Paulo)
Creating the VPC endpoints for Amazon Private CA
You can create a VPC endpoint for the Amazon Private CA service using either the
VPC console at https://console.amazonaws.cn/vpc/
If you have enabled private DNS host names for the endpoint, then the default Amazon Private CA endpoint now resolves to your VPC endpoint. For a comprehensive list of default service endpoints, see Service Endpoints and Quotas.
If you have not enabled private DNS host names, Amazon VPC provides a DNS endpoint name that you can use in the following format:
vpc-endpoint-id.acm-pca.region.vpce.amazonaws.com
Note
The value region represents the Region
identifier for an Amazon Region supported by Amazon Private CA, such as
us-east-2 for the US East (Ohio) Region. For a list of
Amazon Private CA, see Amazon Certificate
Manager Private Certificate Authority Endpoints and
Quotas.
For more information, see Amazon Private CA VPC endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Create a VPC endpoint policy for Amazon Private CA
You can create a policy for Amazon VPC endpoints for Amazon Private CA to specify the following:
-
The principal that can perform actions
-
The actions that can be performed
-
The resources on which actions can be performed
For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC Guide.
Example – VPC endpoint policy for Amazon Private CA actions
When attached to an endpoint, the following policy grants access for all
principals to the Amazon Private CA actions IssueCertificate,
DescribeCertificateAuthority, GetCertificate,
GetCertificateAuthorityCertificate,
ListPermissions, and ListTags. The resource in
each stanza is a private CA. The first stanza authorizes the creation of
end-entity certificates using the specified private CA and certificate
template. If you don't want to control the template being used, the
Condition section is not needed. However, removing this
allows all principals to create CA certificates as well as end-entity
certificates.
{ "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":[ "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566" ], "Condition":{ "StringEquals":{ "acm-pca:TemplateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" } } }, { "Principal":"*", "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:GetCertificate", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":[ "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566" ] } ] }