Create an Interface VPC Endpoint for Amazon Managed Blockchain (AMB) Hyperledger Fabric - Amazon Managed Blockchain (AMB)

Create an Interface VPC Endpoint for Amazon Managed Blockchain (AMB) Hyperledger Fabric

Each member of a Hyperledger Fabric network on AMB Access needs to privately access resource endpoints from their client applications and tools. Amazon Managed Blockchain (AMB) uses Interface VPC Endpoints (AWS PrivateLink) to accomplish this.

AMB Access creates a VPC service name for each network when it is created. Each network is a unique endpoint service with its own VPC service name. Each member then uses the VPC service name to create an interface VPC endpoint in their account. This interface VPC endpoint lets you access resources on the Hyperledger Fabric network on AMB Access through their endpoints. AWS accounts that are not invited to the network don't have access to the VPC service name and cannot set up an interface VPC endpoint for access.

The IAM principal (user) identity that you are using must have sufficient IAM permissions to create an interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and Managing VPC Endpoints in the Amazon VPC User Guide.

Any blockchain framework clients that access resources on the network need access to the interface VPC endpoint. For example, if you use an Amazon EC2 instance as a Hyperledger Fabric client, you can create it in a subnet and security group that are shared with the interface VPC endpoint.

Applicable charges for interface VPC endpoints apply. For more information, see AWS PrivateLink Pricing.

The interface VPC endpoint that you set up to access a network must be enabled for private DNS names. This requires that you create the endpoint in a VPC that has the enableDnsHostnames and enableDnsSupport options set to true.

To create an interface VPC endpoint using the AMB Access console
  1. Open the AMB Access console at https://console.aws.amazon.com/managedblockchain/.

  2. Choose Networks, select your network from the list, and then choose View details.

  3. Choose Create VPC endpoint.

  4. Choose a VPC.

  5. For Subnets, choose a subnet from the list, and then choose additional subnets as necessary.

  6. For Security groups, choose an EC2 security group from the list, and then choose additional security groups as necessary. We recommend that you select the same security group that your framework client EC2 instance is associated with.

  7. Choose Create.

To create an interface VPC Endpoint for a network
  1. Find the VPC endpoint service name of the network. This value is returned by get-network command using the AMB Access CLI, and is available on the network Details page using the AMB Access console (choose Networks, select the network from the list, and then choose View details).

  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. Choose Endpoints, Create Endpoint.

  4. Choose Find service by name. For Service Name, enter the VPC Endpoint Service Name from step 1.

  5. Choose Verify and then choose Create endpoint.

  6. Make sure that Enable Private DNS Name is selected. This option is only available if the VPC you selected has Enable DNS hostnames and Enable DNS support set to true for the VPC. This is a requirement for the VPC.

  7. We recommend that the EC2 security group that you specify for the VPC endpoint is the same as the EC2 security group for the blockchain client that you create to work with the network.