Amazon Kendra and interface VPC endpoints (AWS PrivateLink)
You can establish a private connection between your VPC and Amazon Kendra by creating
an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink
Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.
For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.
Considerations for Amazon Kendra VPC endpoints
Before you set up an interface VPC endpoint for Amazon Kendra, make sure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.
Amazon Kendra supports making calls to all of its API actions from your VPC.
Creating an interface VPC endpoint for Amazon Kendra
You can create a VPC endpoint for the Amazon Kendra service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for Amazon Kendra using the following service name:
-
com.amazonaws.
region
.kendra
After you create a VPC endpoint, you can use the following example AWS CLI command that
uses the endpoint-url
parameter to specify an interface endpoint to the
Amazon Kendra API:
aws kendra list-indices --endpoint-url https://
VPC endpoint
where VPC endpoint
is the DNS name generated when the
interface endpoint is created. This name includes the VPC endpoint ID, Amazon Kendra service
name and Region name. For example,
vpce-1234-abcdef.kendra.us-west-2.vpce.amazonaws.com
.
If you activate private DNS for the endpoint, you can make API requests to
Amazon Kendra using its default DNS name for the Region, for example,
kendra.us-east-1.amazonaws.com
.
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon Kendra
You can attach an endpoint policy to your VPC endpoint that controls access to Amazon Kendra. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Amazon Kendra actions
The following is an example of an endpoint policy for Amazon Kendra. When attached to an endpoint, this policy grants access to the listed Amazon Kendra actions for all principals on all resources.
{ "Statement":[ { "Principal":"*", "Effect":"Allow", "Action":[ "kendra:Query" ], "Resource":"*" } ] }