CloudWiki

Amazon Web Service (AWS)

VPC Endpoint

Network
A VPC endpoint is a virtual device that allows you to privately connect EC2 instances within your Virtual Private Cloud (VPC) to supported AWS services and VPC endpoint services powered by PrivateLink without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP to communicate with resources in the service, and traffic between your VPC and the other service does not leave the Amazon network.
aws_vpc_endpoint
VPC Endpoint
attributes:
  • service_name - (Required) The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
  • vpc_id - (Required) The ID of the VPC in which the endpoint will be used.
  • auto_accept - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
  • policy - (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • private_dns_enabled - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
  • dns_options - (Optional) The DNS options for the endpoint. See dns_options below.
  • ip_address_type - (Optional) The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
  • route_table_ids - (Optional) One or more route table IDs. Applicable for endpoints of type Gateway.
  • subnet_ids - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface.
  • security_group_ids - (Optional) The ID of one or more security groups to associate with the network interface. Applicable for endpoints of type Interface. If no security groups are specified, the VPC's default security group is associated with the endpoint.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpc_endpoint_type - (Optional) The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface. Defaults to Gateway.

dns_options

  • dns_record_ip_type - (Optional) The DNS records created for the endpoint. Valid values are ipv4, dualstack, service-defined, and ipv6.

Associating resources with a
VPC Endpoint
Resources do not "belong" to a
VPC Endpoint
Rather, one or more Security Groups are associated to a resource.
Create
VPC Endpoint
via Terraform:
The following HCL creates an interface VPC endpoint between VPC and EC2 instance
Syntax:

resource "aws_vpc_endpoint" "ec2" {
 vpc_id            = aws_vpc.main.id
 service_name      = "com.amazonaws.us-west-2.ec2"
 vpc_endpoint_type = "Interface"

 security_group_ids = [
   aws_security_group.sg1.id,
 ]

 private_dns_enabled = true
}

Create
VPC Endpoint
via CLI:
Parametres:

create-vpc-endpoint
[--dry-run | --no-dry-run]
[--vpc-endpoint-type <value>]
--vpc-id <value>
--service-name <value>
[--policy-document <value>]
[--route-table-ids <value>]
[--subnet-ids <value>]
[--security-group-ids <value>]
[--ip-address-type <value>]
[--dns-options <value>]
[--client-token <value>]
[--private-dns-enabled | --no-private-dns-enabled]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-vpc-endpoint \
   --vpc-id vpc-1a2b3c4d \
   --vpc-endpoint-type Interface \
   --service-name com.amazonaws.us-east-1.s3 \
   --subnet-ids subnet-7b16de0c \
   --security-group-id sg-1a2b3c4d \
   --tag-specifications ResourceType=vpc-endpoint,Tags=[{Key=service,Value=S3}]

Best Practices for
VPC Endpoint

Categorized by Availability, Security & Compliance and Cost

Warning
Connections towards DynamoDB should be via VPC endpoints
No items found.
Warning
Connections towards DynamoDB should be via vpc-endpoint
No items found.
Warning
Connections towards S3 should be via VPC endpoint
No items found.
Warning
Connections towards S3 should be via vpc-endpoint
No items found.
Info
Ensure VPC Endpoint policy doesn't allow all actions
No items found.
Critical
Ensure default security groups are not in use by VPC Endpoints
Warning
Ensure that the VPC Endpoint state is available
No items found.
Warning
Gateway VPC endpoint is not in use
Explore all the rules our platform covers
All Resources