Considerations Availability Create an interface endpoint Create an endpoint policy

Access AWS Directory Service APIs using an interface endpoint - AWS PrivateLink

You can use AWS PrivateLink to create a private connection between your VPC and AWS Directory Service APIs. You can access AWS Directory Service APIs as if they were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to access AWS Directory Service APIs.

You establish this private connection by creating an interface endpoint, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for AWS Directory Service.

For more information, see Access AWS services through AWS PrivateLink in the AWS PrivateLink Guide.

Considerations for AWS Directory Service

Before you set up an interface endpoint for AWS Directory Service API endpoints, review Considerations in the AWS PrivateLink Guide.

AWS Directory Service supports making calls to all of its API actions through the interface endpoint.

Availability

AWS Directory Service supports VPC endpoints in the following AWS Regions:

US East (N. Virginia)
AWS GovCloud (US-West)
AWS GovCloud (US-East)

Create an interface endpoint for AWS Directory Service

You can create an interface endpoint for AWS Directory Service APIs using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create an interface endpoint in the AWS PrivateLink Guide.

Create an interface endpoint for AWS Directory Service APIs using the following service name:


com.amazonaws.region.ds

Create an endpoint policy for your interface endpoint

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to AWS Directory Service APIs through the interface endpoint. To control the access allowed to AWS Directory Service APIs from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

The principals that can perform actions (AWS accounts, IAM users, and IAM roles).
The actions that can be performed.
The resources on which the actions can be performed.

For more information, see Control access to services using endpoint policies in the AWS PrivateLink Guide.

Example: VPC endpoint policy for AWS Directory Service API actions

The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed AWS Directory Service actions for all principals on all resources. Replace action-1, action-2, and action-3 with the required permissions for the AWS Directory Service APIs that you want to include in your policy. For a full list, see AWS Directory Service API permissions: Actions, resources, and conditions reference.


{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "ds:action-1",
            "ds:action-2",
            "ds:action-3"
         ],
         "Resource":"*"
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-service confused deputy prevention

Service level agreement