Amazon Athena
User Guide

Connect to Amazon Athena Using an Interface VPC Endpoint

You can connect directly to Athena using an interface VPC endpoint (AWS PrivateLink) in your Virtual Private Cloud (VPC) instead of connecting over the internet. When you use an interface VPC endpoint, communication between your VPC and Athena is conducted entirely within the AWS network. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets.

The interface VPC endpoint connects your VPC directly to Athena without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Athena API.

To use Athena through your VPC, you must connect from an instance that is inside the VPC or connect your private network to your VPC by using an Amazon Virtual Private Network (VPN) or AWS Direct Connect. For information about Amazon VPN, see VPN Connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a Connection in the AWS Direct Connect User Guide.

Note

AWS PrivateLink for Athena is not supported in the EU (Stockholm) Region. Athena supports VPC endpoints in all other AWS Regions where both Amazon VPC and Athena are available.

You can create an interface VPC endpoint to connect to Athena using the AWS console or AWS Command Line Interface (AWS CLI) commands. For more information, see Creating an Interface Endpoint.

After you create an interface VPC endpoint, if you enable private DNS hostnames for the endpoint, the default Athena endpoint (https://athena.Region.amazonaws.com) resolves to your VPC endpoint.

If you do not enable private DNS hostnames, Amazon VPC provides a DNS endpoint name that you can use in the following format:

VPC_Endpoint_ID.athena.Region.vpce.amazonaws.com

For more information, see Interface VPC Endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Athena supports making calls to all of its API Actions inside your VPC.

You can create a policy for Amazon VPC endpoints for Athena to specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling Access to Services with VPC Endpoints in the Amazon VPC User Guide.

Example – VPC Endpoint Policy for Athena Actions

The endpoint to which this policy is attached grants access to the listed athena actions to all principals in workgroupA.

{ "Statement": [{ "Principal": "*", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:RunQuery", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:CancelQueryExecution", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:TagResource" ], "Resource": [ "arn:aws:athena:us-west-1:AWSAccountId:workgroup/workgroupA" ] }] }