Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource Types Reference » AWS::EC2::VPCEndpoint

AWS::EC2::VPCEndpoint

Creates a VPC endpoint that you can use to establish a private connection between your VPC and another AWS service without requiring access over the Internet, a VPN connection, or AWS Direct Connect. For more information, see CreateVpcEndpoint.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::EC2::VPCEndpoint",
  "Properties" : {
    "VpcId" : String,
    "RouteTableIds" : [ String, ... ],
    "ServiceName" : String,
    "PolicyDocument" : String,
    "VpcEndpointType" : String,
    "PrivateDnsEnabled" : Boolean,
    "SubnetIds" : [ String, ... ],
    "SecurityGroupIds" : [ String, ... ]
  }
}

YAML


Type: AWS::EC2::VPCEndpoint
Properties: 
  VpcId: String
  RouteTableIds: 
    - String
  ServiceName: String
  PolicyDocument: String
  VpcEndpointType: String
  PrivateDnsEnabled: Boolean
  SubnetIds: 
    - String
  SecurityGroupIds: 
    - String

Properties

PrivateDnsEnabled

[Interface endpoint] Indicates whether to associate a private hosted zone with the specified VPC.

Required: No

Type: Boolean

Update requires: No interruption

PolicyDocument

[Gateway endpoint] A policy to attach to the endpoint that controls access to the service. The policy must be valid JSON. The default policy allows full access to the AWS service. For more information, see Controlling Access to Services in the Amazon VPC User Guide.

Required: No

Type: JSON object

Update requires: No interruption

RouteTableIds

One or more route table IDs that are used by the VPC to reach the endpoint.

Required: No

Type: List of String values

Update requires: No interruption

SecurityGroupIds

[Interface endpoint] The ID of one or more security groups to associate with the endpoint network interface.

Required: No

Type: List of String values

Update requires: No interruption

ServiceName

The name of the service. To get a list of available services, use DescribeVpcEndpointServices or get the name from the service provider.

Required: Yes

Type: String

Update requires: Replacement

SubnetIds

[Interface endpoint] The ID of one or more subnets in which to create an endpoint network interface.

Required: No

Type: List of String values

Update requires: No interruption

VpcEndpointType

The type of endpoint. Valid values are Interface and Gateway.

Required: No

Type: String

Update requires: No interruption

VpcId

The ID of the VPC in which the endpoint will be used.

Required: Yes

Type: String

Update requires: Replacement

Return Value

Ref

When you pass the logical ID of an AWS::EC2::VPCEndpoint resource to the intrinsic Ref function, the function returns the endpoint ID, such as vpce-a123d0d1.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Fn::GetAtt returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

CreationTimestamp

Returns: The date and time the VPC endpoint was created. For example: 2018-09-13T04:46:12.271Z

DnsEntries

Returns: (Interface endpoint) A list of the DNS entries for the endpoint. Each entry is a combination of the hosted zone ID and the DNS name. In the first entry in the list below, for example, Z1C12344VYDITB0 is the hosted zone ID and ec2.us-east-1.amazonaws.com is the DNS name. Note that if you update the PrivateDnsEnabled or SubnetIds properties, the order of DNS entries in this list may change as well.

For example:

[ "Z1C12344VYDITB0:ec2.us-east-1.amazonaws.com", "Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com"]

NetworkInterfaceIds

Returns: (Interface endpoint) A list of one or more network interfaces for the endpoint. For example:

[ "eni-12345ab6789c10d1e", "eni-012345678ab9c10d1" ]

For more information about using Fn::GetAtt, see Fn::GetAtt.

Example

The following example creates a VPC endpoint that allows only the s3:GetObject action on the examplebucket bucket. Traffic to S3 within subnets that are associated with the routetableA and routetableB route tables is automatically routed through the VPC endpoint.

JSON

"S3Endpoint" : {
  "Type" : "AWS::EC2::VPCEndpoint",
  "Properties" : {
    "PolicyDocument" : {
      "Version":"2012-10-17",
      "Statement":[{
        "Effect":"Allow",
        "Principal": "*",
        "Action":["s3:GetObject"],
        "Resource":["arn:aws:s3:::examplebucket/*"]
      }]
    },
    "RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ],
    "ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] },
    "VpcId" : {"Ref" : "VPCID"}
  }
}

YAML

S3Endpoint:
  Type: AWS::EC2::VPCEndpoint
  Properties:
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Principal: '*'
          Action:
            - 's3:GetObject'
          Resource:
            - 'arn:aws:s3:::examplebucket/*'
    RouteTableIds:
      - !Ref routetableA
      - !Ref routetableB
    ServiceName: !Join 
      - ''
      - - com.amazonaws.
        - !Ref 'AWS::Region'
        - .s3
    VpcId: !Ref VPCID