AWS::EC2::VPCEndpoint
Creates a VPC endpoint that you can use to establish a private connection between your VPC and another AWS service without requiring access over the Internet, a VPN connection, or AWS Direct Connect. For more information, see CreateVpcEndpoint.
Topics
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "VpcId" :String, "RouteTableIds" : [String, ... ], "ServiceName" :String, "PolicyDocument" :String, "VpcEndpointType" :String, "PrivateDnsEnabled" :Boolean, "SubnetIds" : [String, ... ], "SecurityGroupIds" : [String, ... ] } }
YAML
Type: "AWS::EC2::VPCEndpoint" Properties:VpcId:StringRouteTableIds: -StringServiceName:StringPolicyDocument:StringVpcEndpointType:StringPrivateDnsEnabled:BooleanSubnetIds: -StringSecurityGroupIds: -String
Properties
PrivateDnsEnabled-
[Interface endpoint] Indicates whether to associate a private hosted zone with the specified VPC.
Required: No
Type: Boolean
Update requires: No interruption
PolicyDocument-
[Gateway endpoint] A policy to attach to the endpoint that controls access to the service. The policy must be valid JSON. The default policy allows full access to the AWS service. For more information, see Controlling Access to Services in the Amazon VPC User Guide.
Required: No
Type: JSON object
Update requires: No interruption
RouteTableIds-
One or more route table IDs that are used by the VPC to reach the endpoint.
Required: No
Type: List of String values
Update requires: No interruption
SecurityGroupIds-
[Interface endpoint] The ID of one or more security groups to associate with the endpoint network interface.
Required: No
Type: List of String values
Update requires: No interruption
ServiceName-
The name of the service. To get a list of available services, use DescribeVpcEndpointServices or get the name from the service provider.
Required: Yes
Type: String
Update requires: Replacement
SubnetIds-
[Interface endpoint] The ID of one or more subnets in which to create an endpoint network interface.
Required: No
Type: List of String values
Update requires: No interruption
VpcEndpointType-
The type of endpoint. Valid values are
InterfaceandGateway.Required: No
Type: String
Update requires: No interruption
VpcId-
The ID of the VPC in which the endpoint will be used.
Required: Yes
Type: String
Update requires: Replacement
Return Value
Ref
When you pass the logical ID of an AWS::EC2::VPCEndpoint resource to the
intrinsic Ref function, the function returns the endpoint ID, such
as vpce-a123d0d1.
For more information about using the Ref function, see Ref.
Example
The following example creates a VPC endpoint that allows only the
s3:GetObject action on the examplebucket bucket. Traffic to S3
within subnets that are associated with the routetableA and
routetableB route tables is automatically routed through the VPC
endpoint.
JSON
"S3Endpoint" : { "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" : { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] }] }, "RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ], "ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] }, "VpcId" : {"Ref" : "VPCID"} } }
YAML
S3Endpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::examplebucket/*' RouteTableIds: - !Ref routetableA - !Ref routetableB ServiceName: !Join - '' - - com.amazonaws. - !Ref 'AWS::Region' - .s3 VpcId: !Ref VPCID
