Using Amazon QLDB with interface VPC endpoints - Amazon Quantum Ledger Database (Amazon QLDB)

Using Amazon QLDB with interface VPC endpoints

You can use an interface VPC endpoint to keep traffic between your Amazon Virtual Private Cloud (Amazon VPC) and Amazon QLDB from leaving the AWS network. Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Interface VPC endpoints are powered by AWS PrivateLink. AWS PrivateLink enables private communication between AWS services using an elastic network interface with private IPs in your Amazon VPC. For more information, see What is Amazon VPC? and Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Using interface VPC endpoints for QLDB

To get started, you don't need to change the settings for your QLDB ledgers. Simply create an interface VPC endpoint to enable your QLDB traffic from and to your Amazon VPC resources to start flowing through the interface VPC endpoint. For more information, see Creating an interface endpoint.

For example, consider a QLDB ledger application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance in a VPC. If you enable a QLDB interface VPC endpoint, calls between the ledger application and QLDB flow through the private interface VPC endpoint instead of public endpoints.

Note

QLDB currently supports interface VPC endpoints for the QLDB Session transactional data API only. This API includes only the SendCommand action.

Controlling access to VPC endpoints for QLDB

You can use VPC endpoint policies to control access by attaching a policy to a VPC endpoint. Or, you can use additional fields in a policy that is attached to an IAM user, group, or role to allow access only from a specified VPC endpoint. When used together, VPC endpoint policies and IAM policies can restrict access to specific QLDB actions on specified ledgers to a specified VPC endpoint.

The following are example endpoint policies for accessing QLDB ledgers.

  • VPC policy example: Read-only access — You can attach the following sample policy to a VPC endpoint. (For more information, see Controlling access to Amazon VPC resources in the Amazon VPC User Guide). This policy restricts actions to only listing and describing QLDB ledgers through the VPC endpoint that it's attached to.

    { "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "qldb:List*", "qldb:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }
  • VPC policy example: Restrict access to a specific QLDB ledger — You can attach the following sample policy to a VPC endpoint. This policy restricts access to a specific ledger resource through the VPC endpoint that it's attached to.

    { "Statement": [ { "Sid": "AccessToSpecificQLDBLedger", "Principal": "*", "Action": "qldb:*", "Effect": "Allow", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/exampleLedger" } ] }
  • IAM policy example: Restrict access to a specific QLDB ledger from a specific VPC endpoint only — You can attach the following sample policy to an IAM user, role, or group. The policy allows access to a specified QLDB ledger only from a specified VPC endpoint.

    Important

    This policy example specifies only the SendCommand action because it's the only QLDB action that currently supports interface VPC endpoints.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AccessFromSpecificEndpoint", "Action": "qldb:SendCommand", "Effect": "Deny", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/exampleLedger", "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] }