Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . ec2 ]

create-vpc-endpoint

Description

Creates a VPC endpoint for a specified service. An endpoint enables you to create a private connection between your VPC and the service. The service may be provided by AWS, an AWS Marketplace partner, or another AWS account. For more information, see VPC Endpoints in the Amazon Virtual Private Cloud User Guide .

A gateway endpoint serves as a target for a route in your route table for traffic destined for the AWS service. You can specify an endpoint policy to attach to the endpoint that will control access to the service from your VPC. You can also specify the VPC route tables that use the endpoint.

An interface endpoint is a network interface in your subnet that serves as an endpoint for communicating with the specified service. You can specify the subnets in which to create an endpoint, and the security groups to associate with the endpoint network interface.

Use describe-vpc-endpoint-services to get a list of supported services.

See also: AWS API Documentation

Synopsis

  create-vpc-endpoint
[--dry-run | --no-dry-run]
[--vpc-endpoint-type <value>]
--vpc-id <value>
--service-name <value>
[--policy-document <value>]
[--route-table-ids <value>]
[--subnet-ids <value>]
[--security-group-ids <value>]
[--client-token <value>]
[--private-dns-enabled | --no-private-dns-enabled]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--dry-run | --no-dry-run (boolean)

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation . Otherwise, it is UnauthorizedOperation .

--vpc-endpoint-type (string)

The type of endpoint.

Default: Gateway

Possible values:

  • Interface
  • Gateway

--vpc-id (string)

The ID of the VPC in which the endpoint will be used.

--service-name (string)

The service name. To get a list of available services, use the describe-vpc-endpoint-services request.

--policy-document (string)

(Gateway endpoint) A policy to attach to the endpoint that controls access to the service. The policy must be in valid JSON format. If this parameter is not specified, we attach a default policy that allows full access to the service.

--route-table-ids (list)

(Gateway endpoint) One or more route table IDs.

Syntax:

"string" "string" ...

--subnet-ids (list)

(Interface endpoint) The ID of one or more subnets in which to create an endpoint network interface.

Syntax:

"string" "string" ...

--security-group-ids (list)

(Interface endpoint) The ID of one or more security groups to associate with the endpoint network interface.

Syntax:

"string" "string" ...

--client-token (string)

Unique, case-sensitive identifier you provide to ensure the idempotency of the request. For more information, see How to Ensure Idempotency .

--private-dns-enabled | --no-private-dns-enabled (boolean)

(Interface endpoint) Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the region (for example, kinesis.us-east-1.amazonaws.com ) which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.

To use a private hosted zone, you must set the following VPC attributes to true : enableDnsHostnames and enableDnsSupport . Use modify-vpc-attribute to set the VPC attributes.

Default: true

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

Examples

To create a gateway endpoint

This example creates a gateway VPC endpoint between VPC vpc-1a2b3c4d and Amazon S3 in the us-east-1 region, and associates route table rtb-11aa22bb with the endpoint.

Command:

aws ec2 create-vpc-endpoint --vpc-id vpc-1a2b3c4d --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-11aa22bb

Output:

{
  "VpcEndpoint": {
  "PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}",
  "VpcId": "vpc-1a2b3c4d",
  "State": "available",
  "ServiceName": "com.amazonaws.us-east-1.s3",
  "RouteTableIds": [
    "rtb-11aa22bb"
  ],
  "VpcEndpointId": "vpce-3ecf2a57",
  "CreationTimestamp": "2015-05-15T09:40:50Z"
  }
}

To create an interface endpoint

This example creates an interface VPC endpoint between VPC vpc-1a2b3c4d and Elastic Load Balancing in the us-east-1 region. The endpoint is created in subnet subnet-7b16de0c, and security group sg-1a2b3c4d is associated with the endpoint network interface.

Command:

aws ec2 create-vpc-endpoint --vpc-id vpc-1a2b3c4d --vpc-endpoint-type Interface --service-name com.amazonaws.us-east-1.elasticloadbalancing --subnet-id subnet-7b16de0c --security-group-id sg-1a2b3c4d

Output:

{
  "VpcEndpoint": {
      "PolicyDocument": "{\n  \"Statement\": [\n    {\n      \"Action\": \"*\", \n      \"Effect\": \"Allow\", \n      \"Principal\": \"*\", \n      \"Resource\": \"*\"\n    }\n  ]\n}",
      "VpcId": "vpc-1a2b3c4d",
      "NetworkInterfaceIds": [
          "eni-bf8aa46b"
      ],
      "SubnetIds": [
          "subnet-7b16de0c"
      ],
      "PrivateDnsEnabled": true,
      "State": "pending",
      "ServiceName": "com.amazonaws.us-east-1.elasticloadbalancing",
      "RouteTableIds": [],
      "Groups": [
          {
              "GroupName": "default",
              "GroupId": "sg-1a2b3c4d"
          }
      ],
      "VpcEndpointId": "vpce-088d25a4bbf4a7e66",
      "VpcEndpointType": "Interface",
      "CreationTimestamp": "2017-09-05T20:14:41.240Z",
      "DnsEntries": [
          {
              "HostedZoneId": "Z7HUB22UULQXV",
              "DnsName": "vpce-088d25a4bbf4a7e66-ks83awe7.elasticloadbalancing.us-east-1.vpce.amazonaws.com"
          },
          {
              "HostedZoneId": "Z7HUB22UULQXV",
              "DnsName": "vpce-088d25a4bbf4a7e66-ks83awe7-us-east-1a.elasticloadbalancing.us-east-1.vpce.amazonaws.com"
          },
          {
              "HostedZoneId": "Z1K56Z6FNPJRR",
              "DnsName": "elasticloadbalancing.us-east-1.amazonaws.com"
          }
      ]
  }
}

Output

VpcEndpoint -> (structure)

Information about the endpoint.

VpcEndpointId -> (string)

The ID of the VPC endpoint.

VpcEndpointType -> (string)

The type of endpoint.

VpcId -> (string)

The ID of the VPC to which the endpoint is associated.

ServiceName -> (string)

The name of the service to which the endpoint is associated.

State -> (string)

The state of the VPC endpoint.

PolicyDocument -> (string)

The policy document associated with the endpoint, if applicable.

RouteTableIds -> (list)

(Gateway endpoint) One or more route tables associated with the endpoint.

(string)

SubnetIds -> (list)

(Interface endpoint) One or more subnets in which the endpoint is located.

(string)

Groups -> (list)

(Interface endpoint) Information about the security groups associated with the network interface.

(structure)

Describes a security group.

GroupId -> (string)

The ID of the security group.

GroupName -> (string)

The name of the security group.

PrivateDnsEnabled -> (boolean)

(Interface endpoint) Indicates whether the VPC is associated with a private hosted zone.

NetworkInterfaceIds -> (list)

(Interface endpoint) One or more network interfaces for the endpoint.

(string)

DnsEntries -> (list)

(Interface endpoint) The DNS entries for the endpoint.

(structure)

Describes a DNS entry.

DnsName -> (string)

The DNS name.

HostedZoneId -> (string)

The ID of the private hosted zone.

CreationTimestamp -> (timestamp)

The date and time the VPC endpoint was created.

ClientToken -> (string)

Unique, case-sensitive identifier you provide to ensure the idempotency of the request.