Considerations Create an interface VPC endpoint Create a VPC endpoint policy

Access AWS FIS using an interface VPC endpoint (AWS PrivateLink)

You can establish a private connection between your VPC and AWS Fault Injection Service by creating an interface VPC endpoint. VPC endpoints are powered by AWS PrivateLink, a technology that enables you to privately access AWS FIS APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS FIS APIs.

Each interface endpoint is represented by one or more elastic network interfaces in your subnets.

For more information, see Access AWS services through AWS PrivateLink in the AWS PrivateLink Guide.

Considerations for AWS FIS VPC endpoints

Before you set up an interface VPC endpoint for AWS FIS, review Access an AWS service using an interface VPC endpoint in the AWS PrivateLink Guide.

AWS FIS supports making calls to all of its API actions from your VPC.

Create an interface VPC endpoint for AWS FIS

You can create a VPC endpoint for the AWS FIS service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create a VPC endpoint in the AWS PrivateLink Guide.

Create a VPC endpoint for AWS FIS using the following service name: com.amazonaws.region.fis.

If you enable private DNS for the endpoint, you can make API requests to AWS FIS using its default DNS name for the Region, for example, fis.us-east-1.amazonaws.com.

Create a VPC endpoint policy for AWS FIS

You can attach an endpoint policy to your VPC endpoint that controls access to AWS FIS. The policy specifies the following information:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

For more information, see Control access to VPC endpoints using endpoint policies in the AWS PrivateLink Guide.

Example: VPC endpoint policy for specific AWS FIS actions

The following VPC endpoint policy grants access to the listed AWS FIS actions on all resources to all principals.


{
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "fis:ListExperimentTemplates",
            "fis:StartExperiment",
            "fis:StopExperiment",
            "fis:GetExperiment"
         ],
         "Resource":"*",
         "Principal":"*"
      }
   ]
}

Example: VPC endpoint policy that denies access from a specific AWS account

The following VPC endpoint policy denies the specified AWS account access to all actions and resources, but grants all other AWS accounts access to all actions and resources.


{
   "Statement":[
      {
         "Effect": "Allow",
         "Action": "*",
         "Resource": "*",
         "Principal": "*"
      },
      {
         "Effect":"Deny",
         "Action": "*",
         "Resource": "*",
         "Principal": {
           "AWS": [ "123456789012" ]
         }
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

Tag your resources