Setting up VPC endpoints with Amazon SES
Many Amazon SES customers have corporate policies in place that limit the ability of their internal systems to connect to the public internet. These policies prevent the use of the public Amazon SES endpoints.
If you have similar policies, you can work within these restrictions by using Amazon Virtual Private Cloud. With Amazon VPC, you can deploy AWS resources into a virtual network that exists in an isolated area of the AWS Cloud. For more information about Amazon VPC, see the Amazon VPC User Guide.
You can connect directly from Amazon VPC
When using a VPC Endpoint, traffic to SES does not transmit over the internet and never leaves the Amazon network in order to securely connect your VPC to SES without availability risks or bandwidth constraints on your network traffic. You can centralize SES across your multi-account infrastructure and provide it as a service to your accounts without the need to utilize an internet gateway.
Limitations
-
SES does not support VPC endpoints in the following Availability Zones:
use1-az2,use1-az3,use1-az5,usw1-az2,usw2-az4,apne2-az4,cac1-az3, andcac1-az4. -
The SMTP endpoint used within the VPC is restricted to the AWS Region currently being used for your account.
Walkthrough example of setting up SES in Amazon VPC
Prerequisites
Before you complete the procedure in this section, you have to complete the following steps:
-
Have an existing virtual private cloud (VPC) or create a new VPC. For procedures, see Get started with Amazon VPC.
-
Launch an Amazon EC2 instance in your VPC for testing connectivity to the VPC endpoint created in a later step. For more information, see Default VPCs.
Note
While VPC endpoints for SES can be used with any resource, for ease of test method, this example will have you use an EC2 instance as the resource. Because Amazon EC2 restricts email traffic over port 25 by default, you'll have to use a different port other than TCP 25, such as TCP 465, 587, 2465, or 2587.
Setting up SES in Amazon VPC
The process of setting up a VPC endpoint to use with SES consists of a few separate steps. First, you have to create a security group that allows the instance to communicate with SMTP ports, then create a VPC endpoint for Amazon SES, and finally, test the connection to the VPC endpoint to ensure that it's configured properly.
Step 1: Create the security group
In this step, you create a security group that lets Amazon EC2 instances communicate with VPC interface endpoint you'll be creating.
To create the security group
-
In the navigation pane of the Amazon EC2 console, under Network & Security, choose Security Groups.
-
Choose Create security group.
-
Under Basic details, do the following:
-
For Security group name, enter a unique name that identifies the security group.
-
For Description, enter some text that describes the purpose of the security group.
-
For VPC, choose the VPC that you want to use Amazon SES in.
-
-
Under Inbound rules, choose Add rule.
-
For the new Inbound rule, do the following:
-
For Type, choose Custom TCP.
-
For Port range, enter the port number that you want to use to send email. You can use any of the following port numbers:
465,587,2465, or2587. -
For Source type, choose Custom.
-
For Source, enter the private IP CIDR range or other Security Group IDs that contain the resources that will use the VPC endpoint to communicate with the SES service.
-
(Repeat steps 4 - 5 for each CIDR range or Security Group you wish to allow access from.)
-
-
When you finish, choose Create security group.
Step 2: Create the VPC endpoint
In Amazon VPC, a VPC endpoint lets you connect your VPC to supported AWS services. In this example, you configure Amazon VPC so that your Amazon EC2 security group can connect to Amazon SES.
To create the VPC endpoint
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
Under Virtual Private Cloud, choose Endpoints.
-
Choose Create Endpoint to open the Create Endpoint page.
-
(Optional) In the Endpoint settings panel, create a tag in the Name tag field.
-
For Service category, select AWS services.
-
In the Services panel, filter on smtp in the search bar, then select its radio button.
-
In the VPC panel, click inside the search bar and select a VPC from the list box (see Prerequisites).
-
In the Subnets panel, select Availability Zones and Subnet IDs.
Note
Amazon SES doesn't support VPC endpoints in the following Availability Zones:
use1-az2,use1-az3,use1-az5,usw1-az2,usw2-az4,apne2-az4,cac1-az3, andcac1-az4. -
In the Security groups panel, select the security group you created earlier.
-
(Optional) In the Tags panel, you can create one or more tags.
-
Choose Create endpoint. Wait approximately 5 minutes while Amazon VPC creates the endpoint. When the endpoint is ready to use, the value in the Status column changes to Available.
(Optional) Step 3: Test the connection to the VPC endpoint
When you complete the process of configuring the VPC endpoint, you can test the connection to ensure that the VPC endpoint is configured properly. You can test the connection by using command-line tools that are included with most operating systems.
To test the connection to the VPC endpoint
-
Launch an Amazon EC2 instance in the same VPC where you just created the email-smtp VPC endpoint.
For information about connecting to Linux instances, see Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances.
For information about connecting to Windows instances, see the Get started tutorial in the Amazon EC2 User Guide for Windows Instances.
-
Send a test email, for example, by using the SES SMTP interface.
Note
You have to verify an email address or domain before you can send email through Amazon SES. For more information about verifying identities, see Creating and verifying identities in Amazon SES.
