Amazon VPC Endpoints for Step Functions - Amazon Step Functions
Creating the EndpointAmazon VPC Endpoint Policies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon VPC Endpoints for Step Functions

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your Amazon resources, you can establish a connection between your Amazon VPC and Amazon Step Functions workflows. You can use this connection with your Step Functions workflows without crossing the public internet. Amazon VPC endpoints are supported by Standard Workflows, Express Workflows, and Synchronous Express Workflows.

Amazon VPC lets you launch Amazon resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see the Amazon VPC User Guide.

To connect your Amazon VPC to Step Functions, you must first define an interface VPC endpoint, which lets you connect your VPC to other Amazon services. The endpoint provides reliable, scalable connectivity, without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see Interface VPC Endpoints (Amazon PrivateLink) in the Amazon VPC User Guide.

Creating the Endpoint

You can create an Amazon Step Functions endpoint in your VPC using the Amazon Web Services Management Console, the Amazon Command Line Interface (Amazon CLI), an Amazon SDK, the Amazon Step Functions API, or Amazon CloudFormation.

For information about creating and configuring an endpoint using the Amazon VPC console or the Amazon CLI, see Creating an Interface Endpoint in the Amazon VPC User Guide.

Note

When you create an endpoint, specify Step Functions as the service that you want your VPC to connect to. In the Amazon VPC console, service names vary based on the Amazon Region. For example, if you choose US East (N. Virginia), the service name for Standard Workflows and Express Workflows is com.amazonaws.us-east-1.states, and the service name for Synchronous Express Workflows is com.amazonaws.us-east-1.sync-states.

Note

It's possible to use VPC Endpoints without overriding the endpoint in the SDK through Private DNS. However, if you want to override the endpoint in the SDK for Synchronous Express Workflows, you need to set DisableHostPrefixInjection configuration to true. Example (Java SDK V2): 

SfnClient.builder()
  .endpointOverride(URI.create("https://vpce-{vpceId}.sync-states.us-east-1.vpce.amazonaws.com"))
  .overrideConfiguration(ClientOverrideConfiguration.builder()
    .advancedOptions(ImmutableMap.of(SdkAdvancedClientOption.DISABLE_HOST_PREFIX_INJECTION, true))
    .build())
  .build();

For information about creating and configuring an endpoint using Amazon CloudFormation, see the AWS::EC2::VPCEndpoint resource in the Amazon CloudFormation User Guide.

Amazon VPC Endpoint Policies

To control connectivity access to Step Functions you can attach an Amazon Identity and Access Management (IAM) endpoint policy while creating an Amazon VPC endpoint. You can create complex IAM rules by attaching multiple endpoint policies. For more information, see: