Menu
Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)

CreateVpcEndpoint

Creates a VPC endpoint for a specified service. An endpoint enables you to create a private connection between your VPC and the service. The service may be provided by AWS, an AWS Marketplace partner, or another AWS account. For more information, see VPC Endpoints in the Amazon Virtual Private Cloud User Guide.

A gateway endpoint serves as a target for a route in your route table for traffic destined for the AWS service. You can specify an endpoint policy to attach to the endpoint that will control access to the service from your VPC. You can also specify the VPC route tables that use the endpoint.

An interface endpoint is a network interface in your subnet that serves as an endpoint for communicating with the specified service. You can specify the subnets in which to create an endpoint, and the security groups to associate with the endpoint network interface.

Use DescribeVpcEndpointServices to get a list of supported services.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.

ClientToken

Unique, case-sensitive identifier you provide to ensure the idempotency of the request. For more information, see How to Ensure Idempotency.

Type: String

Required: No

DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No

PolicyDocument

(Gateway endpoint) A policy to attach to the endpoint that controls access to the service. The policy must be in valid JSON format. If this parameter is not specified, we attach a default policy that allows full access to the service.

Type: String

Required: No

PrivateDnsEnabled

(Interface endpoint) Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the region (for example, kinesis.us-east-1.amazonaws.com) which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.

To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. Use ModifyVpcAttribute to set the VPC attributes.

Default: true

Type: Boolean

Required: No

RouteTableId.N

(Gateway endpoint) One or more route table IDs.

Type: Array of strings

Required: No

SecurityGroupId.N

(Interface endpoint) The ID of one or more security groups to associate with the endpoint network interface.

Type: Array of strings

Required: No

ServiceName

The service name. To get a list of available services, use the DescribeVpcEndpointServices request.

Type: String

Required: Yes

SubnetId.N

(Interface endpoint) The ID of one or more subnets in which to create an endpoint network interface.

Type: Array of strings

Required: No

VpcEndpointType

The type of endpoint.

Default: Gateway

Type: String

Valid Values: Interface | Gateway

Required: No

VpcId

The ID of the VPC in which the endpoint will be used.

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.

clientToken

Unique, case-sensitive identifier you provide to ensure the idempotency of the request.

Type: String

requestId

The ID of the request.

Type: String

vpcEndpoint

Information about the endpoint.

Type: VpcEndpoint object

Errors

For information about the errors that are common to all actions, see Common Client Errors.

Examples

Example 1

The example creates a gateway endpoint between vpc-1a2b3c4d and Amazon S3 in us-east-1, and associates route table rtb-11aa22bb with the endpoint.

Sample Request

https://ec2.amazonaws.com/?Action=CreateVpcEndpoint
&VpcId=vpc-1a2b3c4d
&ServiceName=com.amazonaws.us-east-1.s3
&RouteTableId.1=rtb-11aa22bb
&AUTHPARAMS

Sample Response

<CreateVpcEndpointResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <vpcEndpoint>
        <vpcId>vpc-1a2b3c4d</vpcId>
        <state>available</state>
        <routeTableIdSet>
            <item>rtb-11aa22bb</item>
        </routeTableIdSet>
       <vpcEndpointId>vpce-abc12345</vpcEndpointId>
        <creationTimestamp>2015-02-20T16:46:40Z</creationTimestamp>
        <policyDocument>{"Version":"2008-10-17","Statement":[{"Sid":"","Effect":"Allow","Principal":"*","Action":"*","Resource":"*"}]}</policyDocument>
        <serviceName>com.amazonaws.us-west-1.s3</serviceName>
    </vpcEndpoint>
    <requestId>4b373100-473a-46a0-9006-example</requestId>
</CreateVpcEndpointResponse>

Example 2

The example creates an interface endpoint between vpc-1a2b3c4d and Elastic Load Balancing in us-east-1 in subnet subnet-1a2b3c4d and associates security group sg-11aa22bb with the network interface.

Sample Request

https://ec2.amazonaws.com/?Action=CreateVpcEndpoint
&VpcId=vpc-1a2b3c4d
&ServiceName=com.amazonaws.us-east-1.elasticloadbalancing
&VpcEndpointType=Interface
&SubnetId.1=subnet-1a2b3c4d
&SecurityGroupId.1=sg-11aa22bb
&AUTHPARAMS

Sample Response

<CreateVpcEndpointResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>bf5a49f9-4c36-41c9-a4be-13dexample</requestId>
    <vpcEndpoint>
        <policyDocument>{
  "Statement": [
    {
      "Action": "*", 
      "Effect": "Allow", 
      "Principal": "*", 
      "Resource": "*"
    }
  ]
}</policyDocument>
        <routeTableIdSet/>
        <dnsEntrySet>
            <item>
                <hostedZoneId>Z7HUB22UULQXV</hostedZoneId>
                <dnsName>vpce-0324151a02f327ff5-3k8nfxtt.elasticloadbalancing.us-east-1.vpce.amazonaws.com</dnsName>
            </item>
            <item>
                <hostedZoneId>Z7HUB22UULQXV</hostedZoneId>
                <dnsName>vpce-0324151a02f327ff5-3k8nfxtt-us-east-1a.elasticloadbalancing.us-east-1.vpce.amazonaws.com</dnsName>
            </item>
            <item>
                <hostedZoneId>Z2THV5YBYUN78V</hostedZoneId>
                <dnsName>elasticloadbalancing.us-east-1.amazonaws.com</dnsName>
            </item>
        </dnsEntrySet>
        <serviceName>com.amazonaws.us-east-1.elasticloadbalancing</serviceName>
        <privateDnsEnabled>true</privateDnsEnabled>
        <groupSet>
            <item>
                <groupName>default</groupName>
                <groupId>sg-11aa22bb</groupId>
            </item>
        </groupSet>
        <vpcEndpointId>vpce-0324151a02f327ff5</vpcEndpointId>
        <subnetIdSet>
            <item>subnet-1a2b3c4d</item>
        </subnetIdSet>
        <networkInterfaceIdSet>
            <item>eni-cd1a3319</item>
        </networkInterfaceIdSet>
        <vpcEndpointType>Interface</vpcEndpointType>
        <vpcId>vpc-1a2b3c4d</vpcId>
        <creationTimestamp>2017-09-05T20:57:46.307Z</creationTimestamp>
        <state>pending</state>
    </vpcEndpoint>
</CreateVpcEndpointResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: