Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::EC2::VPCEndpoint

Creates a VPC endpoint that you can use to establish a private connection between your VPC and another AWS service without requiring access over the Internet, a VPN connection, or AWS Direct Connect. For more information, see CreateVpcEndpoint.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "VpcId" : String, "RouteTableIds" : [ String, ... ], "ServiceName" : String, "PolicyDocument" : String, "VpcEndpointType" : String, "PrivateDnsEnabled" : Boolean, "SubnetIds" : [ String, ... ], "SecurityGroupIds" : [ String, ... ] } }

YAML

Type: "AWS::EC2::VPCEndpoint" Properties: VpcId: String RouteTableIds: - String ServiceName: String PolicyDocument: String VpcEndpointType: String PrivateDnsEnabled: Boolean SubnetIds: - String SecurityGroupIds: - String

Properties

PrivateDnsEnabled

[Interface endpoint] Indicates whether to associate a private hosted zone with the specified VPC.

Required: No

Type: Boolean

Update requires: No interruption

PolicyDocument

[Gateway endpoint] A policy to attach to the endpoint that controls access to the service. The policy must be valid JSON. The default policy allows full access to the AWS service. For more information, see Controlling Access to Services in the Amazon VPC User Guide.

Required: No

Type: JSON object

Update requires: No interruption

RouteTableIds

One or more route table IDs that are used by the VPC to reach the endpoint.

Required: No

Type: List of String values

Update requires: No interruption

SecurityGroupIds

[Interface endpoint] The ID of one or more security groups to associate with the endpoint network interface.

Required: No

Type: List of String values

Update requires: No interruption

ServiceName

The name of the service. To get a list of available services, use DescribeVpcEndpointServices or get the name from the service provider.

Required: Yes

Type: String

Update requires: Replacement

SubnetIds

[Interface endpoint] The ID of one or more subnets in which to create an endpoint network interface.

Required: No

Type: List of String values

Update requires: No interruption

VpcEndpointType

The type of endpoint. Valid values are Interface and Gateway.

Required: No

Type: String

Update requires: No interruption

VpcId

The ID of the VPC in which the endpoint will be used.

Required: Yes

Type: String

Update requires: Replacement

Return Value

Ref

When you pass the logical ID of an AWS::EC2::VPCEndpoint resource to the intrinsic Ref function, the function returns the endpoint ID, such as vpce-a123d0d1.

For more information about using the Ref function, see Ref.

Example

The following example creates a VPC endpoint that allows only the s3:GetObject action on the examplebucket bucket. Traffic to S3 within subnets that are associated with the routetableA and routetableB route tables is automatically routed through the VPC endpoint.

JSON

"S3Endpoint" : { "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" : { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] }] }, "RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ], "ServiceName" : { "Fn::Join": [ "", [ "com.amazonaws.", { "Ref": "AWS::Region" }, ".s3" ] ] }, "VpcId" : {"Ref" : "VPCID"} } }

YAML

S3Endpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::examplebucket/*' RouteTableIds: - !Ref routetableA - !Ref routetableB ServiceName: !Join - '' - - com.amazonaws. - !Ref 'AWS::Region' - .s3 VpcId: !Ref VPCID