AWS::EC2::VPCEndpoint
Specifies a VPC endpoint for a service. An endpoint enables you to create a private connection between your VPC and the service. The service may be provided by AWS, an AWS Marketplace Partner, or another AWS account. For more information, see the AWS PrivateLink User Guide.
An interface endpoint establishes connections between the subnets in your VPC and an AWS service, your own service, or a service hosted by another AWS account. You can specify the subnets in which to create the endpoint and the security groups to associate with the endpoint network interface.
A gateway endpoint serves as a target for a route in your route table for traffic destined
for Amazon S3 or Amazon DynamoDB. You can specify an endpoint policy for the endpoint,
which controls access to the service from your VPC. You can also specify the VPC route tables
that use the endpoint. For information about connectivity to Amazon S3, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint?
A Gateway Load Balancer endpoint provides private connectivity between your VPC and virtual appliances from a service provider.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" :Json, "PrivateDnsEnabled" :Boolean, "RouteTableIds" :[ String, ... ], "SecurityGroupIds" :[ String, ... ], "ServiceName" :String, "SubnetIds" :[ String, ... ], "VpcEndpointType" :String, "VpcId" :String} }
YAML
Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument:JsonPrivateDnsEnabled:BooleanRouteTableIds:- StringSecurityGroupIds:- StringServiceName:StringSubnetIds:- StringVpcEndpointType:StringVpcId:String
Properties
PolicyDocument-
A policy that controls access to the service from the VPC. If this parameter is not specified, the default policy allows full access to the service. Endpoint policies are supported only for gateway and interface endpoints.
For CloudFormation templates in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation converts YAML policies to JSON format before calling the API to create or modify the VPC endpoint.
Required: No
Type: Json
Update requires: No interruption
PrivateDnsEnabled-
Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example,
kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.To use a private hosted zone, you must set the following VPC attributes to
true:enableDnsHostnamesandenableDnsSupport.This property is supported only for interface endpoints.
Default:
falseRequired: No
Type: Boolean
Update requires: No interruption
RouteTableIds-
The route table IDs. Routing is supported only for gateway endpoints.
Required: No
Type: List of String
Update requires: No interruption
SecurityGroupIds-
The IDs of the security groups to associate with the endpoint network interface. Security groups are supported only for interface endpoints.
Required: No
Type: List of String
Update requires: No interruption
ServiceName-
The service name. To list the available services, use DescribeVpcEndpointServices. Otherwise, get the name from the service provider.
Required: Yes
Type: String
Update requires: Replacement
SubnetIds-
The ID of the subnets in which to create an endpoint network interface. You must specify this property for an interface endpoints or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.
Required: Conditional
Type: List of String
Update requires: No interruption
VpcEndpointType-
The type of endpoint.
Default: Gateway
Required: No
Type: String
Allowed values:
Gateway | GatewayLoadBalancer | InterfaceUpdate requires: Replacement
VpcId-
The ID of the VPC in which the endpoint will be used.
Required: Yes
Type: String
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC endpoint.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
CreationTimestamp-
The date and time the VPC endpoint was created. For example:
Fri Sep 28 23:34:36 UTC 2018. DnsEntries-
(Interface endpoints) The DNS entries for the endpoint. Each entry is a combination of the hosted zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public DNS, private DNS, and wildcard DNS. This order is not enforced for AWS Marketplace services.
The following is an example. In the first entry, the hosted zone ID is Z1HUB23UULQXV and the DNS name is vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com.
["Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com", "Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3-us-east-1a.ec2.us-east-1.vpce.amazonaws.com", "Z1C12344VYDITB0:ec2.us-east-1.amazonaws.com"]
If you update the
PrivateDnsEnabledorSubnetIdsproperties, the DNS entries in the list will change. NetworkInterfaceIds-
(Interface endpoints) One or more network interface IDs. If you update the
PrivateDnsEnabledorSubnetIdsproperties, the items in this list might change.
Examples
Create an interface endpoint
The following example specifies an interface endpoint that connects the specified VPC and Amazon CloudWatch Logs in the specified Region.
JSON
{ "cwlInterfaceEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "ServiceName": {"Fn::Sub": "com.amazonaws.${AWS::Region}.logs"}, "SecurityGroupIds": [ {"Ref": "mySecurityGroup"} ], "SubnetIds": [ {"Ref": "subnetA"}, {"Ref": "subnetB"} ], "VpcEndpointType": "Interface", "VpcId": {"Ref": "myVPC"} } } }
YAML
cwlInterfaceEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: VpcEndpointType: Interface ServiceName: !Sub 'com.amazonaws.${AWS::Region}.logs' VpcId: !Ref myVPC SubnetIds: - !Ref subnetA - !Ref subnetB SecurityGroupIds: - !Ref mySecurityGroup
Create a gateway endpoint
The following example specifies a gateway endpoint that connects the specified VPC and Amazon S3 in the specified Region. The endpoint policy allows only the s3:GetObject action on the specified bucket. Traffic to Amazon S3 from the subnets that are associated with the specified route tables is automatically routed through the gateway endpoint.
JSON
{ "S3GatewayEndpoint": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::examplebucket/*"] }] }, "RouteTableIds": [ {"Ref": "routetableA"}, {"Ref": "routetableB"} ], "ServiceName": {"Fn::Sub": "com.amazonaws.${AWS::Region}.s3"}, "VpcId": {"Ref": "VPCID"} } } }
YAML
S3GatewayEndpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::examplebucket/*' RouteTableIds: - !Ref routetableA - !Ref routetableB ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3' VpcId: !Ref VPCID
