AWS Device Farm
Developer Guide (API Version 2015-06-23)

Using Amazon Virtual Private Cloud Endpoint Services with AWS Device Farm

If you use Amazon Virtual Private Cloud (Amazon VPC) to host private applications in the AWS US West (Oregon) Region (us-west-2), you can establish a private connection between your VPC and AWS Device Farm. With this connection, you can use Device Farm to test private applications without exposing them through the public internet. To enable your AWS account to use this feature with private devices, contact us.

Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, routing tables, and network gateways. To connect a resource in your VPC to Device Farm, you can use the Amazon VPC console to create a VPC endpoint service. This endpoint service lets you provide the resource in your VPC to Device Farm, through a Device Farm VPC endpoint. The endpoint service provides reliable, scalable connectivity to Device Farm without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see VPC Endpoint Services in the Amazon VPC User Guide.


The Device Farm VPC Endpoint feature helps you securely connect private internal services in your VPC to the Device Farm public VPC by using AWS PrivateLink connections. Although the connection is secure and private, that security depends on your protection of your AWS credentials. If your AWS credentials are compromised, an attacker can access or expose your service data to the outside world.

After you create a VPC endpoint (VPCE) service in Amazon VPC, you can use the Device Farm console to create a VPCE configuration in Device Farm. This topic shows you how to create the Amazon VPC connection and the VPCE configuration in Device Farm.

Before You Begin

The following information is for users of Amazon VPC in the AWS US West (Oregon) Region, with a subnet in each of the following Availability Zones: us-west-2a, us-west-2b, and, us-west-2c.

Device Farm has additional requirements for the VPC endpoint services that it can be used with. When you create and configure a VPC endpoint service to work with Device Farm, make sure that you choose options that meet the following requirements:

  • The Availability Zones for the service must include us-west-2a, us-west-2b, and us-west-2c. The Availability Zones for a VPC endpoint service are determined by the Network Load Balancer that's associated with the endpoint service. If your VPC endpoint service doesn’t show all three of these Availability Zones, you must re-create your Network Load Balancer to enable these three zones, and then reassociate the Network Load Balancer with your endpoint service.

  • The whitelisted principals for the endpoint service must include the Amazon Resource Name of the Device Farm VPC endpoint (service ARN). After you create your endpoint service, add the Device Farm VPC endpoint service ARN to your whitelist to give Device Farm permission to access your VPC endpoint service. To get the Device Farm VPC endpoint service ARN, contact us.

In addition, if the Require acceptance for endpoint setting is enabled, you must manually accept each connection request that Device Farm sends to the endpoint service. You can disable this setting when you create the VPC endpoint service. You can also change this setting for an existing endpoint service. To change this setting, choose the endpoint service on the Amazon VPC console, choose Actions, and then choose Modify endpoint acceptance setting.

The next section explains how to create an Amazon VPC endpoint service that meets these requirements.

Step 1: Creating an Amazon VPC Endpoint Service

The first step in establishing a private connection between your VPC and Device Farm is to use the Amazon VPC console to create an endpoint service in your VPC.

  1. Open the Amazon VPC console at

  2. Under Resources by Region, choose Endpoint Services.

  3. Choose Create Endpoint Service.

  4. If you already have a Network Load Balancer that you want the endpoint service to use, choose it in the list, and then skip to step 11.

  5. Next to Associate Network Load Balancers, choose Create new Network Load Balancers.

  6. Choose Create Load Balancer, and then choose Network Load Balancer.

  7. Enter a name and settings for the Network Load Balancer. Under Availability Zones, enable the us-west-2a, us-west-2b, and us-west-2c Availability Zones.

  8. Follow the instructions to configure the Network Load Balancer.

  9. Repeat steps 1 through 3 to restart the process of creating an endpoint service that uses the new Network Load Balancer.

  10. Choose the Network Load Balancer that you created for the endpoint service.

  11. For Included Availability Zones, verify that us-west-2a, us-west-2b, and, us-west-2c appear in the list.

  12. If you don't want to manually accept or deny each connection request that is sent to the endpoint service, clear Require acceptance for endpoint. If you clear this check box, the endpoint service automatically accepts each connection request that it receives.

  13. Choose Create service.

  14. Choose Close.

  15. In the list of endpoint services, choose the endpoint service that you created.

  16. Choose Whitelisted principals.

  17. Contact us to get the Amazon Resource Name of the Device Farm VPC endpoint (service ARN) to add to the whitelist for the endpoint service, and then add that service ARN to the whitelist for the service.

  18. On the Details tab for the endpoint service, make a note of the name of the service (service name). You need this name when you create the VPC endpoint configuration in the next step.

Your VPC endpoint service is now ready for use with Device Farm.

Step 2: Creating a VPC Endpoint Configuration in Device Farm

After you create an endpoint service in Amazon VPC, you can create an Amazon VPC endpoint (VPCE) configuration in Device Farm.

  1. Sign in to the Device Farm console at

  2. On the home page, choose Device Farm settings.

  3. Choose VPCE Configurations.

  4. Choose Create a VPCE Configuration.

  5. Enter a name for the VPCE configuration.

  6. Enter the name of the Amazon VPC endpoint service (service name) that you noted on the Amazon VPC console. The name looks like

  7. Enter the service DNS name for the app that you want to test (for example, Don't specify http or https before the service DNS name.

    The domain name is not accessible through the public internet. In addition, this new domain name, which maps to your VPC endpoint service, is generated by Amazon Route 53 and is available exclusively for you in your Device Farm session.

  8. Choose Save VPCE Configuration.

                        The Create a New VPC Configuration page with sample data

Step 3: Creating a Test Run

After you save the VPCE configuration, you can use the configuration to create test runs or remote access sessions. For more information, see Create a Test Run or Create a Remote Access Session.