AWS HealthOmics and interface VPC endpoints (AWS PrivateLink) - AWS HealthOmics
Considerations for AWS HealthOmics VPC endpointsCreating an interface VPC endpoint for AWS HealthOmicsCreating a VPC endpoint policy for AWS HealthOmics

AWS HealthOmics and interface VPC endpoints (AWS PrivateLink)

You can establish a private connection between your VPC and AWS HealthOmics by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that you can use to privately access AWS HealthOmics APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS HealthOmics APIs. Traffic between your VPC and AWS HealthOmics does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Only the HealthOmics Storage operations are available for use with VPC. VPC endpoint policies are supported for AWS HealthOmics. By default, full access to AWS HealthOmics is allowed through the endpoint.

Considerations for AWS HealthOmics VPC endpoints

Before you set up an interface VPC endpoint for AWS HealthOmics, make sure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

AWS HealthOmics supports making calls to all HealthOmics Storage API actions from your VPC.

VPC endpoint policies are not supported for AWS HealthOmics by default, but you can create a VPC endpoint for full AWS HealthOmics accesss for the HealthOmics Storage operations. For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Creating an interface VPC endpoint for AWS HealthOmics

You can create a VPC endpoint for the AWS HealthOmics service using the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for AWS HealthOmics using the following service name:

  • com.amazonaws.region.storage-omics

  • com.amazonaws.region.control-storage-omics

  • com.amazonaws.region.analytics-omics

  • com.amazonaws.region.workflows-omics

  • com.amazonaws.region.tags-omics

If you enable private DNS for the endpoint, you can make API requests to AWS HealthOmics using its default DNS name for the Region, for example, omics.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for AWS HealthOmics

You can attach an endpoint policy to your VPC endpoint that controls access to AWS HealthOmics. The policy specifies the following information:

  • The principal that can perform actions

  • The actions that can be performed

  • The resources on which actions can be performed

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for AWS HealthOmics actions

The following is an example of an endpoint policy for AWS HealthOmics. When attached to an endpoint, this policy grants access to AWS HealthOmics actions for all principals on all resources.

API
{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "omics:List*"
         ],
         "Resource":"*"
      }
   ]
}
CLI
aws ec2 modify-vpc-endpoint \
    --vpc-endpoint-id vpce-id \
    --region us-west-2 \
    --policy-document \
    "{\"Statement\":[{\"Principal\":\"*\",\"Effect\":\"Allow\",\"Action\":[\"omics:List*\"],\"Resource\":\"*\"}]}"