Creating Amazon VPC endpoints for Step Functions
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a connection between your Amazon VPC and Amazon Step Functions workflows. You can use this connection with your Step Functions workflows without crossing the public internet. Amazon VPC endpoints are supported by Standard Workflows, Express Workflows, and Synchronous Express Workflows.
Amazon VPC lets you launch Amazon resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see the Amazon VPC User Guide.
To connect your Amazon VPC to Step Functions, you must first define an interface VPC endpoint, which lets you connect your VPC to other Amazon services. The endpoint provides reliable, scalable connectivity, without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see Interface VPC Endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.
Creating the Endpoint
You can create an Amazon Step Functions endpoint in your VPC using the Amazon Web Services Management Console, the Amazon Command Line Interface (Amazon CLI), an Amazon SDK, the Amazon Step Functions API, or Amazon CloudFormation.
For information about creating and configuring an endpoint using the Amazon VPC console or the Amazon CLI, see Creating an Interface Endpoint in the Amazon VPC User Guide.
Note
When you create an endpoint, specify Step Functions as the service that you want your VPC to connect to. In the Amazon VPC console, service names vary based on the Amazon Region. For example, if you choose US East (N. Virginia), the service name for Standard Workflows and Express Workflows is com.amazonaws.us-east-1.states, and the service name for Synchronous Express Workflows is com.amazonaws.us-east-1.sync-states.
Note
It's possible to use VPC Endpoints without overriding the endpoint in the SDK
through Private DNS.
However, if you want to override the endpoint in the SDK for Synchronous Express Workflows,
you need to set DisableHostPrefixInjection configuration to true. Example (Java SDK V2):
SfnClient.builder() .endpointOverride(URI.create("https://vpce-{vpceId}.sync-states.us-east-1.vpce.amazonaws.com")) .overrideConfiguration(ClientOverrideConfiguration.builder() .advancedOptions(ImmutableMap.of(SdkAdvancedClientOption.DISABLE_HOST_PREFIX_INJECTION, true)) .build()) .build();
For information about creating and configuring an endpoint using Amazon CloudFormation, see the AWS::EC2::VPCEndpoint resource in the Amazon CloudFormation User Guide.
Amazon VPC Endpoint Policies
To control connectivity access to Step Functions you can attach an Amazon Identity and Access Management (IAM) endpoint policy while creating an Amazon VPC endpoint. You can create complex IAM rules by attaching multiple endpoint policies. For more information, see:
Amazon Virtual Private Cloud Endpoint Policies for Step Functions
You can create an Amazon VPC endpoint policy for Step Functions in which you specify the following:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which the actions can be performed.
The following example shows an Amazon VPC endpoint policy that allows one user to create state machines, and denies all other users permission to delete state machines. The example policy also grants all users execution permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*Execution",
"Resource": "*",
"Effect": "Allow",
"Principal": "*"
},
{
"Action": "states:CreateStateMachine",
"Resource": "*",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/MyUser"
}
},
{
"Action": "states:DeleteStateMachine",
"Resource": "*",
"Effect": "Deny",
"Principal": "*"
}
]
}For more information about creating endpoint policies, see the following: