Tutorial: Using a VPC Endpoint for DynamoDB - Amazon DynamoDB

Tutorial: Using a VPC Endpoint for DynamoDB

This section walks you through setting up and using a VPC endpoint for DynamoDB.

Step 1: Launch an Amazon EC2 Instance

In this step, you launch an Amazon EC2 instance in your default Amazon VPC. You can then create and use a VPC endpoint for DynamoDB.

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch Instance and do the following:

    Step 1: Choose an Amazon Machine Image (AMI)

    • At the top of the list of AMIs, go to Amazon Linux AMI and choose Select.

    Step 2: Choose an Instance Type

    • At the top of the list of instance types, choose t2.micro.

    • Choose Next: Configure Instance Details.

    Step 3: Configure Instance Details

    • Go to Network and choose your default VPC.

      Choose Next: Add Storage.

    Step 4: Add Storage

    • Skip this step by choosing Next: Tag Instance.

    Step 5: Tag Instance

    • Skip this step by choosing Next: Configure Security Group.

    Step 6: Configure Security Group

    • Choose Select an existing security group.

    • In the list of security groups, choose default. This is the default security group for your VPC.

    • Choose Next: Review and Launch.

    Step 7: Review Instance Launch

    • Choose Launch.

  3. In the Select an existing key pair or create a new key pair window, do one of the following:

    • If you do not have an Amazon EC2 key pair, choose Create a new key pair and follow the instructions. You will be asked to download a private key file (.pem file); you will need this file later when you log in to your Amazon EC2 instance.

    • If you already have an existing Amazon EC2 key pair, go to Select a key pair and choose your key pair from the list. You must already have the private key file ( .pem file) available in order to log in to your Amazon EC2 instance.

  4. When you have configured your key pair, choose Launch Instances.

  5. Return to the Amazon EC2 console home page and choose the instance that you launched. In the lower pane, on the Description tab, find the Public DNS for your instance. For example: ec2-00-00-00-00.us-east-1.compute.amazonaws.com.

    Make a note of this public DNS name, because you will need it in the next step in this tutorial (Step 2: Configure Your Amazon EC2 Instance).

Note

It will take a few minutes for your Amazon EC2 instance to become available. Before you go on to the next step, ensure that the Instance State is running and that all of its Status Checks have passed.

Step 2: Configure Your Amazon EC2 Instance

When your Amazon EC2 instance is available, you will be able to log into it and prepare it for first use.

Note

The following steps assume that you are connecting to your Amazon EC2 instance from a computer running Linux. For other ways to connect, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances.

  1. You will need to authorize inbound SSH traffic to your Amazon EC2 instance. To do this, you will create a new EC2 security group, and then assign the security group to your EC2 instance.

    1. In the navigation pane, choose Security Groups.

    2. Choose Create Security Group. In the Create Security Group window, do the following:

      • Security group name—type a name for your security group. For example: my-ssh-access

      • Description—type a short description for the security group.

      • VPC—choose your default VPC.

      • In the Security group rules section, choose Add Rule and do the following:

        • Type—choose SSH.

        • Source—choose My IP.

      When the settings are as you want them, choose Create.

    3. In the navigation pane, choose Instances.

    4. Choose the Amazon EC2 instance that you launched in Step 1: Launch an Amazon EC2 Instance.

    5. Choose Actions --> Networking --> Change Security Groups.

    6. In the Change Security Groups, select the security group that you created earlier in this procedure (for example: my-ssh-access). The existing default security group should also be selected. When the settings are as you want them, choose Assign Security Groups.

  2. Use the ssh command to log in to your Amazon EC2 instance, as in the following example.

    ssh -i my-keypair.pem ec2-user@public-dns-name

    You will need to specify your private key file (.pem file) and the public DNS name of your instance. (See Step 1: Launch an Amazon EC2 Instance).

    The login ID is ec2-user. No password is required.

  3. Configure your AWS credentials, as shown following. Enter your AWS access key ID, secret key, and default Region name when prompted.

    aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-east-1 Default output format [None]:

You are now ready to create a VPC endpoint for DynamoDB.

Step 3: Create a VPC Endpoint for DynamoDB

In this step, you will create a VPC endpoint for DynamoDB and test it to make sure that it works.

  1. Before you begin, verify that you can communicate with DynamoDB using its public endpoint.

    aws dynamodb list-tables

    The output will show a list of DynamoDB tables that you currently own. (If you don't have any tables, the list will be empty.).

  2. Verify that DynamoDB is an available service for creating VPC endpoints in the current AWS Region. (The command is shown in bold text, followed by example output.)

    aws ec2 describe-vpc-endpoint-services { "ServiceNames": [ "com.amazonaws.us-east-1.s3", "com.amazonaws.us-east-1.dynamodb" ] }

    In the example output, DynamoDB is one of the services available, so you can proceed with creating a VPC endpoint for it.

  3. Determine your VPC identifier.

    aws ec2 describe-vpcs { "Vpcs": [ { "VpcId": "vpc-0bbc736e", "InstanceTenancy": "default", "State": "available", "DhcpOptionsId": "dopt-8454b7e1", "CidrBlock": "172.31.0.0/16", "IsDefault": true } ] }

    In the example output, the VPC ID is vpc-0bbc736e.

  4. Create the VPC endpoint. For the --vpc-id parameter, specify the VPC ID from the previous step. Use the --route-table-ids parameter to associate the endpoint with your route tables.

    aws ec2 create-vpc-endpoint --vpc-id vpc-0bbc736e --service-name com.amazonaws.us-east-1.dynamodb --route-table-ids rtb-11aa22bb { "VpcEndpoint": { "PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}", "VpcId": "vpc-0bbc736e", "State": "available", "ServiceName": "com.amazonaws.us-east-1.dynamodb", "RouteTableIds": [ "rtb-11aa22bb" ], "VpcEndpointId": "vpce-9b15e2f2", "CreationTimestamp": "2017-07-26T22:00:14Z" } }
  5. Verify that you can access DynamoDB through the VPC endpoint.

    aws dynamodb list-tables

    If you want, you can try some other AWS CLI commands for DynamoDB. For more information, see the AWS CLI Command Reference.

Step 4: (Optional) Clean Up

If you want to delete the resources you have created in this tutorial, follow these procedures:

To remove your VPC endpoint for DynamoDB

  1. Log in to your Amazon EC2 instance.

  2. Determine the VPC endpoint ID.

    aws ec2 describe-vpc-endpoints { "VpcEndpoint": { "PolicyDocument": "{\"Version\":\"2008-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}", "VpcId": "vpc-0bbc736e", "State": "available", "ServiceName": "com.amazonaws.us-east-1.dynamodb", "RouteTableIds": [], "VpcEndpointId": "vpce-9b15e2f2", "CreationTimestamp": "2017-07-26T22:00:14Z" } }

    In the example output, the VPC endpoint ID is vpce-9b15e2f2.

  3. Delete the VPC endpoint.

    aws ec2 delete-vpc-endpoints --vpc-endpoint-ids vpce-9b15e2f2 { "Unsuccessful": [] }

    The empty array [] indicates success (there were no unsuccessful requests).

To terminate your Amazon EC2 instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Choose your Amazon EC2 instance.

  4. Choose Actions, Instance State, Terminate.

  5. In the confirmation window, choose Yes, Terminate.