Menu
Amazon Virtual Private Cloud
User Guide

VPC Endpoints

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.

Important

Currently, we support endpoints for connections with Amazon S3 only. We'll add support for other AWS services later. Endpoints are supported within the same region only.

An endpoint enables instances in your VPC to use their private IP addresses to communicate with resources in other services. Your instances do not require public IP addresses, and you do not need an Internet gateway, a NAT device, or a virtual private gateway in your VPC. You use endpoint policies to control access to resources in other services. Traffic between your VPC and the AWS service does not leave the Amazon network.

There is no additional charge for using endpoints. Standard charges for data transfer and resource usage apply. For more information about pricing, see Amazon EC2 Pricing.

Endpoint Basics

To create an endpoint, specify the VPC and the service to which you're connecting. A service is identified by a prefix list, or the name and ID of a service for a region. A prefix list ID uses the form pl-xxxxxxx and a prefix list name uses the form com.amazonaws.<region>.<service>. You use the prefix list name (service name) to create an endpoint.

You can attach an endpoint policy to your endpoint that allows access to some or all of the service to which you're connecting. For more information, see Using Endpoint Policies. To control the routing of traffic between your VPC and the other service, you can specify one or more route tables that are used by the VPC to reach the endpoint. Subnets that use these route tables have access to the endpoint, and traffic from instances in these subnets to the service is then routed through the endpoint.

You can also use the VPC wizard on the dashboard of the Amazon VPC console to create a new VPC, and request an endpoint for the service that you specify.

After you've created an endpoint, you can modify the policy that's attached to your endpoint, and add or remove the route tables that are used by the endpoint.

You can create multiple endpoints in a single VPC, for example, to multiple services. You can also create multiple endpoints for a single service, and you can use different route tables to enforce different access policies from different subnets to the same service.

Routing for Endpoints

When you create or modify an endpoint, you specify the VPC route tables that must be used to access the service via the endpoint. A route is automatically added to each of the route tables with a destination that specifies the prefix list ID of the service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-xxxxxxxx). The prefix list ID logically represents the range of public IP addresses used by the service. All instances in subnets associated with the specified route tables automatically use the endpoint to access the service; subnets that are not associated with the specified route tables do not use the endpoint to access the service. This enables you to keep resources in other subnets separate from your endpoint.

We use the most specific route that matches the traffic to determine how to route the traffic (longest prefix match). If you have an existing route in your route table for all Internet traffic (0.0.0.0/0) that points to an Internet gateway, the endpoint route takes precedence for all traffic destined for the service, because the IP address range for the service is more specific than 0.0.0.0/0. All other Internet traffic goes to your Internet gateway, including traffic that's destined for the service in other regions. However, if you have existing, more specific routes to IP address ranges that point to an Internet gateway or a NAT device, those routes take precedence. If you have existing routes destined for an IP address range that is identical to the IP address range used by the service, then your routes take precedence.

To view the current IP address range for a service, you can use the describe-prefix-lists command or the ec2-describe-prefix-lists command.

Note

The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.

You can have multiple endpoint routes to different services in a route table, and you can have multiple endpoint routes to the same service in different route tables, but you cannot have multiple endpoints to the same service in a single route table. For example, if you have two endpoints to Amazon S3 in your VPC, you cannot use the same route table for both endpoints.

You cannot explicitly add, modify, or delete an endpoint route in your route table by using the route table APIs, or by using the Route Tables page in the VPC console. You can only add an endpoint route by associating a route table with an endpoint. The endpoint route is automatically deleted when you remove the route table association from the endpoint (by modifying the endpoint), or when you delete your endpoint.

To change the route tables that are associated with your endpoint, you can modify the endpoint. For more information, see Modifying an Endpoint.

Example: An Endpoint Route in a Route Table

In this scenario, you have an existing route in your route table for all Internet traffic (0.0.0.0/0) that points to an Internet gateway. Any traffic from the subnet that's destined for another AWS service uses the Internet gateway.

DestinationTarget
10.0.0.0/16Local
0.0.0.0/0igw-1a2b3c4d

You create an endpoint to Amazon S3, and associate your route table with the endpoint. An endpoint route is automatically added to the route table, with a destination of pl-1a2b3c4d (assume this represents Amazon S3). Now, any traffic from the subnet that's destined for Amazon S3 in the same region goes to the endpoint, and does not go to the Internet gateway. All other Internet traffic goes to your Internet gateway, including traffic that's destined for other services, and destined for Amazon S3 in other regions.

DestinationTarget
10.0.0.0/16Local
0.0.0.0/0igw-1a2b3c4d
pl-1a2b3c4dvpce-11bb22cc

Example: Adjusting Your Route Tables for Endpoints

In this scenario, you have configured your route table to enable instances in your subnet to communicate with Amazon S3 buckets through an Internet gateway. You've added a route with 54.123.165.0/24 as a destination (assume this is an IP address range currently within Amazon S3), and the Internet gateway as the target. You then create an endpoint, and associate this route table with the endpoint. An endpoint route is automatically added to the route table. You then use the describe-prefix-lists command to view the IP address range for Amazon S3. The range is 54.123.160.0/19, which is less specific than the range that's pointing to your Internet gateway. This means that any traffic destined for the 54.123.165.0/24 IP address range continues to use the Internet gateway, and does not use the endpoint (for as long as this remains the public IP address range for Amazon S3).

DestinationTarget
10.0.0.0/16Local
54.123.165.0/24 igw-1a2b3c4d
pl-1a2b3c4dvpce-11bb22cc

To ensure that all traffic destined for Amazon S3 in the same region is routed via the endpoint, you must adjust the routes in your route table. To do this, you can delete the route to the Internet gateway. Now, all traffic to Amazon S3 in the same region uses the endpoint, and the subnet that's associated with your route table is a private subnet.

DestinationTarget
10.0.0.0/16Local
pl-1a2b3c4dvpce-11bb22cc

Endpoints for Amazon S3

If you've already set up access to your Amazon S3 resources from your VPC, you can continue to use Amazon S3 DNS names to access those resources after you've set up an endpoint. However, take note of the following:

  • Your endpoint has a policy that controls the use of the endpoint to access Amazon S3 resources. The default policy allows access by any user or service within the VPC, using credentials from any AWS account, to any Amazon S3 resource; including Amazon S3 resources for an AWS account other than the account with which the VPC is associated. For more information, see Controlling Access to Services.

  • The source IP addresses from instances in your affected subnets as received by Amazon S3 will change from public IP addresses to the private IP addresses from your VPC. An endpoint switches network routes, and disconnects open TCP connections. Your tasks will be interrupted during the changeover, and any previous connections using public IP addresses will not be resumed. We recommend that you do not have any critical tasks running when you create or modify an endpoint; or that you test to ensure that your software can automatically reconnect to Amazon S3 after the connection break.

  • You cannot use the aws:SourceIp condition in your bucket policies for requests to Amazon S3 through a VPC endpoint. If a statement in your bucket policy includes the aws:SourceIp condition, the condition is not matched — the statement is ignored and access to the bucket may be denied. Instead, adjust your bucket policy to limit access to a specific VPC or a specific endpoint. For more information, see Using Amazon S3 Bucket Policies.

  • You must enable DNS resolution in your VPC, or if you're using your own DNS server, ensure that requests to Amazon S3 are forwarded to the VPC DNS server. For more information, see Using DNS with Your VPC.

  • Endpoints currently do not support cross-region requests—ensure that you create your endpoint in the same region as your bucket. You can find the location of your bucket by using the Amazon S3 console, or by using the get-bucket-location command. Use a region-specific Amazon S3 endpoint to access your bucket; for example, mybucket.s3-us-west-2.amazonaws.com. For more information about region-specific endpoints for Amazon S3, see Amazon Simple Storage Service (S3) in Amazon Web Services General Reference. If you use the AWS CLI to make requests to Amazon S3, set your default region to the same region as your bucket, or use the --region parameter in your requests.

    Note

    Treat Amazon S3's US Standard region as mapped to the us-east-1 region.

If you use other AWS services in your VPC, such as Amazon Elastic MapReduce, they may use S3 buckets for certain tasks. Ensure that your endpoint policy allows full access to Amazon S3 (the default policy), or that it allows access to the specific buckets that are used by these services. Alternatively, only create an endpoint in a subnet that is not used by any of these services, to allow the services to continue accessing S3 buckets using public IP addresses.

The following table lists AWS services that may be affected by an endpoint, and any specific information for each service.

AWS serviceNote
AWS CloudFormationIf you have resources in your VPC that must respond to a wait condition or custom resource request, your endpoint policy must allow at least access to the specific buckets that are used by these resources. For more information, see AWS CloudFormation and VPC Endpoints.
AWS CodeDeployYour endpoint policy must allow full access to Amazon S3, or allow access to any S3 buckets that you've created for your AWS CodeDeploy deployments.
Elastic BeanstalkYour endpoint policy must allow at least access to any S3 buckets used for Elastic Beanstalk applications. For more information, see Using Elastic Beanstalk with Amazon S3 in the AWS Elastic Beanstalk Developer Guide.
Amazon Elastic MapReduceYour subnet's route table must include a route to an Internet gateway, and your endpoint policy must allow full access to Amazon S3. For more information, see VPC Errors in the Amazon Elastic MapReduce Developer Guide.
AWS OpsWorksYour endpoint policy must allow at least access to specific buckets that are used by AWS OpsWorks. For more information, see Running a Stack in a VPC in the AWS OpsWorks User Guide.
Amazon WorkDocsIf you use an Amazon WorkDocs client in Amazon WorkSpaces or an EC2 instance, your endpoint policy must allow full access to Amazon S3.
Amazon WorkSpacesAmazon WorkSpaces does not directly depend on Amazon S3; however, if you provide Amazon WorkSpaces users with Internet access, then take note that web sites, HTML emails, and Internet services from other companies may depend on Amazon S3. Ensure that your endpoint policy allows full access to Amazon S3 to allow these services to continue to work correctly.

Traffic between your VPC and S3 buckets does not leave the Amazon network.

Endpoint Limitations

To use endpoints, you need to be aware of the current limitations:

  • You cannot use prefix list IDs to create an outbound rule in a network ACL that allows or denies outbound traffic to the service specified in an endpoint. Instead, you can use a prefix list ID in an outbound security group rule. For more information, see Security Groups.

  • You cannot create an endpoint between a VPC and an AWS service in a different region.

  • You cannot tag an endpoint.

  • You cannot transfer an endpoint from one VPC to another, or from one service to another.

  • Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, a VPC peering connection, an AWS Direct Connect connection, or a ClassicLink connection in your VPC cannot use the endpoint to communicate with resources in the endpoint service.

  • When using Amazon S3 endpoints, you cannot use a bucket policy or an IAM policy to allow access from a VPC CIDR range (the private IP address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Instead, you can use a bucket policy to restrict access to a specific endpoint or to a specific VPC, and you can use your route tables to control which instances can access resources in Amazon S3 via the endpoint.

Controlling the Use of Endpoints

By default, IAM users do not have permission to work with endpoints. You can create an IAM user policy that grants users permission to create, modify, describe, and delete endpoints. We currently do not support resource-level permissions for any of the ec2:*VpcEndpoint* API actions, or for the ec2:DescribePrefixLists action — you cannot create an IAM policy that grants users permission to use a specific endpoint or prefix list. For more information, see the following example: 8. Creating and managing VPC endpoints.

Controlling Access to Services

When you create an endpoint, you attach an endpoint policy to it that controls access to the service to which you are connecting. If you're using an endpoint to Amazon S3, you can also use Amazon S3 bucket policies to control access to buckets from specific endpoints, or specific VPCs.

Endpoint policies and Amazon S3 bucket policies must be written in JSON format.

Using Endpoint Policies

A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. An endpoint policy does not override or replace IAM user policies or S3 bucket policies. It is a separate policy for controlling access from the endpoint to the specified service. However, all types of policies — IAM user policies, endpoint policies, S3 policies, and Amazon S3 ACL policies (if any) — must grant the necessary permissions for access to Amazon S3 to succeed.

You cannot attach more than one policy to an endpoint; however, you can modify the policy at any time. Note that if you do modify a policy, it can take a few minutes for the changes to take effect. For more information, see Modifying an Endpoint. For more information about writing policies, see Overview of IAM Policies in the IAM User Guide.

Your endpoint policy can be like any IAM policy; however, take note of the following:

  • Only the parts of the policy that relate to the specified service will work. You cannot use an endpoint policy to allow resources in your VPC to perform other actions; for example, if you add EC2 actions to an endpoint policy for an endpoint to Amazon S3, they will have no effect.

  • Your policy must contain a Principal element. For more information, see Principal in the IAM User Guide.

Example: Restricting Access to a Specific Bucket

You can create a policy that restricts access to specific S3 buckets only. This is useful if you have other AWS services in your VPC that use S3 buckets. The following is an example of a policy that restricts access to my_secure_bucket only.

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my_secure_bucket",
                   "arn:aws:s3:::my_secure_bucket/*"]
    }
  ]
}		

Example: Enabling Access to the Amazon Linux AMI Repositories

The Amazon Linux AMI repositories are Amazon S3 buckets in each region. If you want instances in your VPC to access the repositories through an endpoint, you can create an endpoint policy that enables access to these buckets.

{
  "Statement": [
    {
      "Sid": "AmazonLinuxAMIRepositoryAccess",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::packages.*.amazonaws.com/*",
        "arn:aws:s3:::repo.*.amazonaws.com/*"
      ]
    }
  ]
}

Using Amazon S3 Bucket Policies

You can use bucket policies to control access to buckets from specific endpoints, or specific VPCs.

For more information about bucket policies for Amazon S3, see Using Bucket Policies and User Policies in Amazon Simple Storage Service Developer Guide.

Example: Restricting Access to a Specific Endpoint

The following is an example of an S3 bucket policy that allows access to a specific bucket, my_secure_bucket, from endpoint vpce-1a2b3c4d only. The policy denies all access to the bucket if the specified endpoint is not being used. The aws:sourceVpce condition is used to specify the endpoint. The aws:sourceVpce condition does not require an ARN for the VPC endpoint resource, only the endpoint ID.

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPCE-only",
      "Principal": "*",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": ["arn:aws:s3:::my_secure_bucket",
                   "arn:aws:s3:::my_secure_bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpce": "vpce-1a2b3c4d"
        }
      }
    }
  ]
}	

Example: Restricting Access to a Specific VPC

You can create a bucket policy that restricts access to a specific VPC by using the aws:sourceVpc condition. This is useful if you have multiple endpoints configured in the same VPC, and you want to manage access to your S3 buckets for all of your endpoints. The following is an example of a policy that allows VPC vpc-111bbb22 to access my_secure_bucket and its objects. The policy denies all access to the bucket if the specified VPC is not being used. The aws:sourceVpc condition does not require an ARN for the VPC resource, only the VPC ID.

{
  "Version": "2012-10-17",
  "Id": "Policy1415115909152",
  "Statement": [
    {
      "Sid": "Access-to-specific-VPC-only",
      "Principal": "*",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": ["arn:aws:s3:::my_secure_bucket",
                   "arn:aws:s3:::my_secure_bucket/*"],
      "Condition": {
        "StringNotEquals": {
          "aws:sourceVpc": "vpc-111bbb22"
        }
      }
    }
  ]
}	

Security Groups

By default, Amazon VPC security groups allow all outbound traffic, unless you've specifically restricted outbound access. If your security group's outbound rules are restricted, you must add a rule that allows outbound traffic from your VPC to the service that's specified in your endpoint. To do this, you can use the service's prefix list ID as the destination in the outbound rule. For more information, see Modifying Your Security Group.

Working with Endpoints

You can use the Amazon VPC console to create and manage endpoints.

Creating an Endpoint

To create an endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection. You can also attach a policy to the endpoint, and specify the route tables that will be used by the endpoint.

To create an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Choose Create Endpoint.

  4. In the first step of the wizard, complete the following information, and then choose Next Step.

    • Select a VPC in which to create the endpoint, and the service to which you want to connect. (Currently, only the Amazon S3 service is available.)

    • Choose the type of policy. You can leave the default option, Full Access, to allow full access to the service. Alternatively, you can select Custom, and then use the AWS Policy Generator to create a custom policy, or type your own policy in the policy window.

  5. In the second step of the wizard, select the route tables that will be used by the endpoint. The wizard automatically adds a route to those tables that points traffic destined for the service to the endpoint. When you are done, choose Create Endpoint.

You can use the VPC wizard to create a new VPC and to create an endpoint at the same time. Instead of specifying the route tables that are used by the endpoint, you specify the subnets that will have access to the endpoint. The wizard adds an endpoint route to the route tables associated with those subnets.

To create a VPC and endpoint using the VPC wizard

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. On the Amazon VPC dashboard, choose Start VPC Wizard.

  3. Select a VPC configuration that suit your needs, and then choose Select. For more information about the types of configurations, see VPC Wizard Scenarios for Amazon VPC.

  4. On the second page of the wizard, fill in the VPC settings as required. In the Add endpoints for S3 to your subnets section, complete the following information:

    • Select the subnets that will have access to the endpoint from the Subnet list. The route tables associated with the subnets will include an endpoint route.

    • Select the type of policy from the Policy list. You can leave the default option, Full Access, to allow full access to the service. Alternatively, choose Custom, and then use the AWS Policy Generator to create a custom policy, or type your own policy in the policy window.

  5. If applicable, complete the rest of the steps in the wizard, and then click Create VPC.

Modifying Your Security Group

If your VPC security group restricts outbound traffic, you must add a rule to allow traffic destined for the AWS service to leave your instance.

To add an outbound rule for an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select your VPC security group, choose the Outbound Rules tab, and then choose Edit.

  4. Select the type of traffic from the Type list, and enter the port range, if required. For example, if you use your instance to retrieve objects from Amazon S3, choose HTTPS from the Type list.

  5. The Destination list displays the prefix list IDs and names for the available AWS services. Choose the prefix list ID for the endpoint service, or type it in.

    Note

    For Amazon S3, the prefix list name is com.amazonaws.<region>.s3; for example, com.amazonaws.us-east-1.s3.

  6. Choose Save.

For more information about security groups, see Security Groups for Your VPC.

Modifying an Endpoint

You can modify your endpoint by changing or removing its policy, and adding or removing the route tables that are used by the endpoint.

To change the policy associated with an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select your endpoint, choose Actions, and then choose Edit Policy.

  4. In the dialog box, you can choose Full Access to allow full access. Alternatively, choose Custom, and then use the AWS Policy Generator to create a custom policy, or type your own policy in the policy window. When you're done, choose Save Policy.

    Note

    It can take a few minutes for policy changes to take effect.

To add or remove route tables used by an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select your VPC endpoint, choose Actions, and then choose Choose Route Tables.

  4. In the dialog box, select or deselect the required route tables, and then choose Save.

Describing Your Endpoints

You can use the Amazon VPC console to view your endpoints, and to view information about each one.

To view information about an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select your endpoint.

  4. You can view information about the endpoint on the Summary tab; for example, you can get the prefix list name for the service in the Service field.

    On the Route Tables tab, you can view information about the route tables that are used by the endpoint. On the Policy tab, you can view the IAM policy that's attached to your endpoint.

    Note

    The Policy tab only displays the endpoint policy. It does not display any information about IAM policies for IAM users that have permission to work with endpoints. It also does not display service-specific policies; for example, S3 bucket policies.

Deleting an Endpoint

If you no longer require an endpoint, you can delete it. Deleting an endpoint also deletes the endpoint routes in the route tables that were used by the endpoint, but doesn't affect any security groups associated with the VPC in which the endpoint resides.

To delete an endpoint

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Select your endpoint, choose Actions, and then choose Delete Endpoint.

  4. In the confirmation dialog box, choose Yes, Delete.

API and CLI Overview

You can perform the tasks described on this page using a command line tool, or the Amazon EC2 Query API.

Create a VPC endpoint

Get the prefix list name, ID, and IP address range for an AWS service

Modify a VPC endpoint

Describe your VPC endpoints

Get a list of available AWS services for creating a VPC endpoint

Delete a VPC endpoint