Using Amazon QLDB with interface VPC endpoints (AWS PrivateLink) - Amazon Quantum Ledger Database (Amazon QLDB)

Using Amazon QLDB with interface VPC endpoints (AWS PrivateLink)

You can establish a private connection between your Amazon Virtual Private Cloud (Amazon VPC) and Amazon QLDB by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access QLDB APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with QLDB APIs. Traffic between your VPC and QLDB does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for QLDB VPC endpoints

Before you set up an interface VPC endpoint for QLDB, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

Note

QLDB only supports making calls to the QLDB Session transactional data API from your VPC. This API includes only the SendCommand operation.

Creating an interface VPC endpoint for QLDB

You can create a VPC endpoint for the QLDB Session API using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

Create a VPC endpoint for QLDB using the following service name:

  • com.amazonaws.region.qldb.session

If you enable private DNS for the endpoint, you can make API requests to QLDB using its default DNS name for the Region; for example, session.qldb.us-east-1.amazonaws.com.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for QLDB

You can attach an endpoint policy to your VPC endpoint that controls access to QLDB. The policy specifies the following information:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

You can also use the Condition field in a policy that is attached to an IAM user, group, or role to allow access only from a specified VPC endpoint. When used together, VPC endpoint policies and IAM policies can restrict access to specific QLDB actions on specified ledgers to a specified VPC endpoint.

VPC policy example: Restrict access to a specific QLDB ledger

The following is an example of an endpoint policy for QLDB. When attached to an endpoint, this policy grants access to the SendCommand operation for all principals on the specified ledger resource.

{ "Statement": [ { "Sid": "AccessToSpecificQLDBLedger", "Principal": "*", "Effect": "Allow", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:111122223333:ledger/myExampleLedger" } ] }

IAM policy example: Restrict access to a QLDB ledger from a specific VPC endpoint only

The following is an example of an IAM identity-based policy for QLDB. When attached to an IAM user, role, or group, this policy allows access to a ledger resource only from the specified VPC endpoint.

Important

This policy example specifies only the SendCommand action because it's the only QLDB action that currently supports interface VPC endpoints.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessFromSpecificVPCEndpoint", "Effect": "Deny", "Action": "qldb:SendCommand", "Resource": "arn:aws:qldb:us-east-1:111122223333:ledger/myExampleLedger", "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } } } ] }

Availability of VPC endpoints for QLDB

Amazon QLDB supports interface VPC endpoints with policies in all of the AWS Regions where QLDB is available. For a complete list of available Regions, see Amazon QLDB endpoints and quotas in the AWS General Reference.