Access Amazon QLDB using an interface endpoint (AWS PrivateLink) - Amazon Quantum Ledger Database (Amazon QLDB)

Access Amazon QLDB using an interface endpoint (AWS PrivateLink)

Important

End of support notice: Existing customers will be able to use Amazon QLDB until end of support on 07/31/2025. For more details, see Migrate an Amazon QLDB Ledger to Amazon Aurora PostgreSQL.

You can use AWS PrivateLink to create a private connection between your VPC and Amazon QLDB. You can access QLDB as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to access QLDB.

You establish this private connection by creating an interface endpoint, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for QLDB.

For more information, see Access AWS services through AWS PrivateLink in the AWS PrivateLink Guide.

Considerations for QLDB

Before you set up an interface endpoint for QLDB, review Considerations in the AWS PrivateLink Guide.

Note

QLDB only supports making calls to the QLDB Session transactional data API through the interface endpoint. This API includes only the SendCommand operation. In the STANDARD permissions mode of a ledger, you can control permissions to specific PartiQL actions in this API.

Create an interface endpoint for QLDB

You can create an interface endpoint for QLDB using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Create an interface endpoint in the AWS PrivateLink Guide.

Create an interface endpoint for QLDB using the following service name:

com.amazonaws.region.qldb.session

If you enable private DNS for the interface endpoint, you can make API requests to QLDB using its default Regional DNS name. For example, session.qldb.us-east-1.amazonaws.com.

Create an endpoint policy for your interface endpoint

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to QLDB through the interface endpoint. To control the access allowed to QLDB from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

  • The principals that can perform actions (AWS accounts, users, and roles).

  • The actions that can be performed.

  • The resources on which the actions can be performed.

For more information, see Control access to services using endpoint policies in the AWS PrivateLink Guide.

You can also use the Condition field in a policy that is attached to a user, group, or role to allow access only from a specified interface endpoint. When used together, endpoint policies and IAM policies can restrict access to specific QLDB actions on specified ledgers to a specified interface endpoint.

Endpoint policy example: Restrict access to a specific QLDB ledger

The following is an example of a custom endpoint policy for QLDB. When you attach this policy to your interface endpoint, it grants access to the SendCommand action and the PartiQL read-only actions for all principals on the specified ledger resource. In this example, the ledger must be in the STANDARD permissions mode.

To use this policy, replace us-east-1, 123456789012, and myExampleLedger in the example with your own information.

{ "Statement": [ { "Sid": "QLDBSendCommandPermission", "Principal": "*", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger" }, { "Sid": "QLDBPartiQLReadOnlyPermissions", "Principal": "*", "Effect": "Allow", "Action": [ "qldb:PartiQLSelect", "qldb:PartiQLHistoryFunction" ], "Resource": [ "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/table/*", "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger/information_schema/user_tables" ] } ] }
IAM policy example: Restrict access to a QLDB ledger from a specific interface endpoint only

The following is an example of an IAM identity-based policy for QLDB. When you attach this policy to a user, role, or group, it allows SendCommand access to a ledger resource only from the specified interface endpoint.

To use this policy, replace us-east-1, 123456789012, myExampleLedger, and vpce-1a2b3c4d in the example with your own information.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessFromSpecificInterfaceEndpoint", "Effect": "Deny", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:123456789012:ledger/myExampleLedger", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] }

Availability of interface endpoints for QLDB

Amazon QLDB supports interface endpoints with policies in all of the AWS Regions where QLDB is available. For a complete list of available Regions, see Amazon QLDB endpoints and quotas in the AWS General Reference.