AWS Directory Service API and interface Amazon VPC endpoints using AWS PrivateLink - AWS Directory Service
ConsiderationsAvailabilityCreate an interface endpointCreate a VPC endpoint policy

AWS Directory Service API and interface Amazon VPC endpoints using AWS PrivateLink

You can establish a private connection between your Amazon VPC and AWS Directory Service API endpoints by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink.

AWS PrivateLink enables you to privately access AWS Directory Service API operations without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Traffic between your VPC and AWS Directory Service doesn't leave the AWS network.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets. For more information on elastic network interface, see Elastic network interface in the Amazon EC2 User Guide.

For more information about VPC endpoints, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide. For more information about AWS Directory Service API operations, see AWS Directory Service API Reference.

Considerations for VPC endpoints

Before you set up an interface VPC endpoint for AWS Directory Service API endpoints, ensure that you review Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.

All AWS Directory Service API operations relevant to managing AWS Directory Service resource are available from your VPC using AWS PrivateLink.

VPC endpoint policies are supported for Directory Service API endpoints. By default, full access to Directory Service API operations is allowed through the endpoint. For more information, see Control access to VPC endpoints using endpoint policies in the Amazon VPC User Guide.

Availability

AWS Directory Service supports VPC endpoints in the following AWS Regions:

AWS Region availability

  • US East (N. Virginia)

  • US East (Ohio)

  • US West (N. California)

  • US West (Oregon)

  • Africa (Cape Town)

  • Asia Pacific (Hong Kong)

  • Asia Pacific (Hyderabad)

  • Asia Pacific (Jakarta)

  • Asia Pacific (Melbourne)

  • Asia Pacific (Mumbai)

  • Asia Pacific (Osaka)

  • Asia Pacific (Seoul)

  • Asia Pacific (Singapore)

  • Asia Pacific (Sydney)

  • Asia Pacific (Tokyo)

  • Canada (Central)

  • Canada West (Calgary)

  • China (Beijing and Ningxia)

  • Asia Pacific (Hong Kong)

  • Europe (Frankfurt)

  • Europe (Ireland)

  • Europe (London)

  • Europe (Milan)

  • Europe (Paris)

  • Europe (Spain)

  • Europe (Stockholm)

  • Europe (Zurich)

  • Israel (Tel Aviv)

  • Middle East (Bahrain)

  • Middle East (UAE)

  • South America (São Paulo)

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

Creating an interface endpoint for AWS Directory Service API

You can create a VPC interface endpoint for the AWS Directory Service API using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create a VPC endpoint in the AWS PrivateLink Guide.

Create an interface endpoint for AWS Directory Service API using the following service name: com.amazonaws.region.ds

Excluding AWS Regions in China, if you enable private DNS for the endpoint, you can make API requests to AWS Directory Service with the VPC endpoint using its default DNS name for the AWS Region, for example ds.us-east-1.amazonaws.com. For the China (Beijing and Ningxia) AWS Regions, you can make API requests with the VPC endpoint using ds-api.cn-north-1.amazonaws.com.cn and ds-api.cn-northwest-1.amazonaws.com.cn, respectively.

For more information, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for AWS Directory Service API

You can attach an endpoint policy to your VPC endpoint that controls access to AWS Directory Service API. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Control access to VPC endpoints using endpoint policies in the Amazon VPC User Guide.

Example: VPC endpoint policy for AWS Directory Service API actions

The following is an example of an endpoint policy for AWS Directory Service API. When you attach this policy to your interface endpoint, it grants access to the listed AWS Directory Service API actions for all principals on all resources.

{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "ds:DescribeDirectories",
            "ds:DescribeCertificate",
         ],
         "Resource":"*"
      }
   ]
}
Example: VPC endpoint policy that denies all access from a specified AWS account

The following VPC endpoint policy denies AWS account 123456789012 all access to resources using the endpoint. The policy allows all actions from other accounts.

{
   "Statement": [
      {
         "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal:" "*"
      },
      {
        "Action": "*",
        "Effect": "Deny",
        "Resource": "*",
        "Principal": {
            "AWS": [
               "123456789012"
            ]
         }
      ]
}