AWS CodeBuild
User Guide (API Version 2016-10-06)

Use VPC Endpoints

You can improve the security of your builds by configuring AWS CodeBuild to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and AWS CodeBuild by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, AWS CodeBuild, and Amazon EC2 to the Amazon network (managed instances don't have access to the internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. You are not required to configure PrivateLink, but it's recommended. For more information about Private Link and VPC endpoints, see Accessing AWS Services Through PrivateLink .

Before You Create VPC Endpoints

Before you configure VPC endpoints for AWS CodeBuild, be aware of the following restrictions and limitations.


The following services must communicate with the internet. You can use VPC endpoints with AWS CodeBuild and these services with an Amazon VPC NAT Gateway.

  • AWS CodeCommit, which might be a source repository.

  • Amazon ECR, which might be used with a custom Docker image.

  • Active Directory.

  • Amazon CloudWatch Events and Amazon CloudWatch Logs.

  • VPC endpoints only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, you can use conditional DNS forwarding. For more information, see DHCP Option Sets in the Amazon VPC User Guide.

  • VPC endpoints currently do not support cross-region requests. Ensure that you create your endpoint in the same region as any Amazon S3 buckets that store your build input and output. You can find the location of your bucket by using the by using the Amazon S3 console, or by using the get-bucket-location command. Use a region-specific Amazon S3 endpoint to access your bucket; for example, For more information about region-specific endpoints for Amazon S3, see Amazon Simple Storage Service (Amazon S3) in Amazon Web Services General ReferenceAmazon Web Services General Reference. If you use the AWS CLI to make requests to Amazon S3, set your default region to the same region as your bucket, or use the --region parameter in your requests.

Creating VPC Endpoints for AWS CodeBuild

Use Creating an Interface Endpoint to create the endpoint com.amazonaws.region.codebuild. This is a VPC endpoint for the AWS CodeBuild service.

region represents the region identifier for an AWS region supported by AWS CodeBuild, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in the AWS CodeBuild table of regions and endpoints in the AWS General Reference. The endpoint is prepopulated with the region you specified when you logged into AWS. If you change your region, then the VPC endpoint will update with the new region.