AWS::EC2::VPCEndpoint
Specifies a VPC endpoint for a service. An endpoint enables you to create a private connection between your VPC and the service. The service may be provided by AWS, an AWS Marketplace Partner, or another AWS account. For more information, see VPC Endpoints in the Amazon Virtual Private Cloud User Guide.
A gateway
endpoint serves as a target for a route in your route table for
traffic destined for the AWS service. You can specify an endpoint policy to attach
to
the endpoint, which will control access to the service from your VPC. You can also
specify the VPC route tables that use the endpoint.
For information about connectivity when you use a gateway endpoint to connect to an
Amazon S3 bucket from an EC2 instance, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint
An interface
endpoint is a network interface in your subnet that
serves as an endpoint for communicating with the specified service. You can specify
the
subnets in which to create an endpoint, and the security groups to associate with
the
endpoint network interface.
A GatewayLoadBalancer
endpoint is a network interface in your subnet that serves an endpoint for communicating
with a Gateway Load Balancer that you've configured as a VPC endpoint service.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" :
Json
, "PrivateDnsEnabled" :Boolean
, "RouteTableIds" :[ String, ... ]
, "SecurityGroupIds" :[ String, ... ]
, "ServiceName" :String
, "SubnetIds" :[ String, ... ]
, "VpcEndpointType" :String
, "VpcId" :String
} }
YAML
Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument:
Json
PrivateDnsEnabled:Boolean
RouteTableIds:- String
SecurityGroupIds:- String
ServiceName:String
SubnetIds:- String
VpcEndpointType:String
VpcId:String
Properties
PolicyDocument
-
(Interface and gateway endpoints) A policy to attach to the endpoint that controls access to the service. The policy must be in valid JSON format. If this parameter is not specified, we attach a default policy that allows full access to the service.
Required: No
Type: Json
Update requires: No interruption
PrivateDnsEnabled
-
(Interface endpoint) Indicate whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example,
kinesis.us-east-1.amazonaws.com
) which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.To use a private hosted zone, you must set the following VPC attributes to
true
:enableDnsHostnames
andenableDnsSupport
.Default:
false
Required: No
Type: Boolean
Update requires: No interruption
RouteTableIds
-
(Gateway endpoint) One or more route table IDs.
Required: No
Type: List of String
Update requires: No interruption
SecurityGroupIds
-
(Interface endpoint) The ID of one or more security groups to associate with the endpoint network interface.
Required: No
Type: List of String
Update requires: No interruption
ServiceName
-
The service name. To get a list of available services, use the DescribeVpcEndpointServices request, or get the name from the service provider.
Required: Yes
Type: String
Update requires: Replacement
SubnetIds
-
(Interface and Gateway Load Balancer endpoints) The ID of one or more subnets in which to create an endpoint network interface. For a Gateway Load Balancer endpoint, you can specify one subnet only.
Required: Conditional
Type: List of String
Update requires: No interruption
VpcEndpointType
-
The type of endpoint.
Default: Gateway
Required: No
Type: String
Allowed values:
Gateway | GatewayLoadBalancer | Interface
Update requires: Replacement
VpcId
-
The ID of the VPC in which the endpoint will be used.
Required: Yes
Type: String
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the ID of the VPC endpoint.
For more information about using the Ref
function, see Ref.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following
are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt.
CreationTimestamp
-
The date and time the VPC endpoint was created. For example:
Fri Sep 28 23:34:36 UTC 2018.
DnsEntries
-
(Interface endpoint) The DNS entries for the endpoint. Each entry is a combination of the hosted zone ID and the DNS name. The entries are ordered as follows: regional public DNS, zonal public DNS, private DNS, and wildcard DNS. This order is not enforced for AWS Marketplace services.
The following is an example. In the first entry, the hosted zone ID is Z1HUB23UULQXV and the DNS name is vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com.
["Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3.ec2.us-east-1.vpce.amazonaws.com", "Z1HUB23UULQXV:vpce-01abc23456de78f9g-12abccd3-us-east-1a.ec2.us-east-1.vpce.amazonaws.com", "Z1C12344VYDITB0:ec2.us-east-1.amazonaws.com"]
If you update the
PrivateDnsEnabled
orSubnetIds
properties, the DNS entries in the list will change. NetworkInterfaceIds
-
(Interface endpoint) One or more network interface IDs. If you update the
PrivateDnsEnabled
orSubnetIds
properties, the items in this list might change.
Examples
VPC Endpoint
The following example specifies a VPC endpoint that allows only the s3:GetObject action on the examplebucket bucket. Traffic to S3 within subnets that are associated with the routetableA and routetableB route tables is automatically routed through the VPC endpoint.
JSON
"S3Endpoint" : { "Type" : "AWS::EC2::VPCEndpoint", "Properties" : { "PolicyDocument" : { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal": "*", "Action":["s3:GetObject"], "Resource":["arn:aws:s3:::examplebucket/*"] }] }, "RouteTableIds" : [ {"Ref" : "routetableA"}, {"Ref" : "routetableB"} ], "ServiceName" : { "Fn::Sub": "com.amazonaws.${AWS::Region}.s3" }, "VpcId" : {"Ref" : "VPCID"} } }
YAML
S3Endpoint: Type: 'AWS::EC2::VPCEndpoint' Properties: PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: '*' Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::examplebucket/*' RouteTableIds: - !Ref routetableA - !Ref routetableB ServiceName: !Sub 'com.amazonaws.${AWS::Region}.s3' VpcId: !Ref VPCID