AWS Lake Formation and interface VPC endpoints (AWS PrivateLink)
Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways.
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and Lake Formation. You use this connection so that Lake Formation can communicate with the resources in your VPC without going through the public internet.
You can establish a private connection between your VPC and AWS Lake Formation by creating an
interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink
Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.
For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.
Considerations for Lake Formation VPC endpoints
Before you set up an interface VPC endpoint for Lake Formation, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.
Lake Formation supports making calls to all of its API actions from your VPC. You can use Lake Formation with VPC endpoints in all AWS Regions that support both Lake Formation and Amazon VPC endpoints.
Creating an interface VPC endpoint for Lake Formation
You can create a VPC endpoint for the Lake Formation service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Create a VPC endpoint for Lake Formation using the following service name:
-
com.amazonaws.
region
.lakeformation
If you enable private DNS for the endpoint, you can make API requests to Lake Formation using its
default DNS name for the Region, for example,
lakeformation.us-east-1.amazonaws.com
.
For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Lake Formation
Lake Formation supports VPC endpoint policies. An endpoint policy is a resource-based policy that you attach to a VPC endpoint to control which AWS principals can use the endpoint to access an AWS service.
You can attach an endpoint policy to your VPC endpoint that controls access to Lake Formation. The policy specifies the following information:
-
The principal that can perform actions.
-
The actions that can be performed.
-
The resources on which actions can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Lake Formation actions
The following example VPC endpoint policy for Lake Formation allows for credential vending using Lake Formation permissions. You might use this policy to run queries using Lake Formation permissions from an Amazon Redshift cluster or an Amazon EMR cluster located in a private subnet.
{ "Statement": [ { "Effect": "Allow", "Action": "lakeformation:GetDataAccess", "Resource": "*", "Principal": "*" } ] }
Note
If you don't attach a policy when you create an endpoint, a default policy that allows full access to the service is attached.
For more information, see these topics in the Amazon VPC documentation: