AWS CodePipeline
User Guide (API Version 2015-07-09)

The procedures in this guide support the new console design. If you choose to use the older version of the console, you will find many of the concepts and basic procedures in this guide still apply. To access help in the new console, choose the information icon.

Use AWS CodePipeline with Amazon Virtual Private Cloud

AWS CodePipeline now supports Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by AWS PrivateLink. This means you can connect directly to AWS CodePipeline through a private endpoint in your VPC, keeping all traffic inside your VPC and the AWS network. Previously, applications running inside a VPC required internet access to connect to AWS CodePipeline.

Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as:

  • IP address range

  • Subnets

  • Route tables

  • Network gateways

Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that facilitates private communication between AWS services using an elastic network interface with private IP addresses. To connect your VPC to AWS CodePipeline, you define an interface VPC endpoint for AWS CodePipeline. This type of endpoint makes it possible for you to connect your VPC to AWS services. The endpoint provides reliable, scalable connectivity to AWS CodePipeline without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For information about setting up a VPC, see the VPC User Guide.

Create a VPC Endpoint for AWS CodePipeline

You can use the Amazon VPC console to create the com.amazonaws.region.codepipeline VPC endpoint. In the console, region is the region identifier for an AWS Region supported by AWS CodePipeline, such as us-east-2 for the US East (Ohio) Region. For more information, see Creating an Interface Endpoint in the Amazon VPC User Guide. For a list of supported regions, see the AWS CodePipeline regions and endpoints in the AWS General Reference.

The endpoint is prepopulated with the region you specified when you signed in to AWS. If you sign in to another region, the VPC endpoint is updated with the new region.

Although the following services integrate with AWS CodePipeline, they are not supported for Amazon VPC:

  • AWS CodeCommit, which might be a source repository.

  • GitHub webhooks.

  • Amazon ECR, which might be used with a custom Docker image.

  • Active Directory.

  • Amazon CloudWatch Events and Amazon CloudWatch Logs.

Troubleshooting Your VPC Setup

When troubleshooting VPC issues, use the information that appears in internet connectivity error messages to help you identify, diagnose, and address issues.

  1. Make sure that your internet gateway is attached to your VPC.

  2. Make sure that the route table for your public subnet points to the internet gateway.

  3. Make sure that your network ACLs allow traffic to flow.

  4. Make sure that your security groups allow traffic to flow.

  5. Troubleshoot your NAT gateway.

  6. Make sure that the route table for private subnets points to the NAT gateway.

  7. Make sure that the service role used by AWS CodePipeline has the appropriate permissions. For example, if AWS CodePipeline does not have the Amazon EC2 permissions required to work with an Amazon VPC, you might receive an error that says, "Unexpected EC2 error: UnauthorizedOperation."