Creating an interface VPC endpoint for Amazon Q Business Creating a VPC endpoint policy for Amazon Q Business

Amazon Q Business and interface Amazon VPC endpoints (AWS PrivateLink)

You can establish a private connection between your Amazon VPC and Amazon Q Business by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that allows you to privately access Amazon Q Business APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Q Business APIs. Traffic between your VPC and Amazon Q Business doesn't leave the Amazon network.

Before you set up an interface VPC endpoint for Amazon Q Business, make sure that you review the prerequisites in the Amazon VPC User Guide.

Amazon Q Business currently only supports making API calls from your VPC for Amazon Q Business APIs only. Using your VPC for the web experience user interface is not supported.

Creating an interface VPC endpoint for Amazon Q Business

You can create an interface endpoint for Amazon Q Business using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI).

Create an interface endpoint for Amazon Q Business using the following service name:


aws.api.region.qbusiness

After you create a VPC endpoint, you can use the following example AWS CLI command that uses the endpoint-url parameter to specify an interface endpoint to the Amazon Q Business API:


aws qbusiness list-applications --endpoint-url https://VPC endpoint

VPC endpoint is the DNS name generated when the interface endpoint is created. This name includes the VPC endpoint ID and the Amazon Q Business service name, which includes the region. For example, vpce-1234-adbcdef-us-west-2a.qbusiness.us-west-2.vpce.amazonaws.com.

If you enable private DNS for the endpoint, you can make API requests to Amazon Q Business using its default DNS name for the region. For example, qbusiness.us-west-2.api.aws.

For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for Amazon Q Business

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon Q Business through the interface endpoint. To control the access allowed to Amazon Q Business from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

The principals/authorized users who can perform actions (AWS accounts, IAM users, and IAM roles)
The actions that can be performed
The resources on which the actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for Amazon Q Business actions

The following is an example of an endpoint policy for Amazon Q Business. When attached to an endpoint, this policy grants access to all available Amazon Q Business actions for all principals/authorized users on all resources.


{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "qbusiness:*"
         ],
         "Resource":"*"
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Service improvement

Identity and access management