Setting up VPC endpoints with Amazon SES - Amazon Simple Email Service

Setting up VPC endpoints with Amazon SES

Many Amazon SES customers have corporate policies in place that limit the ability of their internal systems to connect to the public internet. These policies prevent these customers from using the public Amazon SES endpoints.

To work within these restrictions, you can use Amazon Virtual Private Cloud (Amazon VPC). With Amazon VPC, you can deploy AWS resources into a virtual network that exists in an isolated area of the AWS Cloud. For more information about Amazon VPC, see the Amazon VPC User Guide.

To use Amazon SES with Amazon VPC, you must create an Amazon EC2 instance in your organization's VPC. You can then connect to this instance and use it to send email through Amazon SES. This section contains instructions for configuring your Amazon EC2 instance and creating an Amazon VPC endpoint for Amazon SES.

  • Amazon SES does not support VPC endpoints in the following Availability Zones: use1-az2, use1-az3, use1-az5, usw1-az2, usw2-az4, apne2-az4, cac1-az3, and cac1-az4.

  • The SMTP endpoint used within the VPC is restricted to the AWS Region currently being used for your account.


Before you complete the procedure in this section, you have to complete the following steps:

Setting up Amazon SES in Amazon VPC

The process of setting up a VPC endpoint to use with Amazon SES consists of a few separate steps. First, you have to identify the private IP address of the Amazon EC2 instance that you want to use with the VPC endpoint. Next, you create a security group that allows the instance to communicate with SMTP ports. After that, you create a VPC endpoint for Amazon SES. Finally, you test the connection to the VPC endpoint to ensure that it's configured properly.

Step 1: Find the private IP address of your Amazon EC2 instance

To set up an Amazon EC2 instance to use an Amazon SES VPC endpoint, you must find the private IP of the instance. You use this IP address in a later step.

To find the private IP of an Amazon EC2 instance

  1. Open the Amazon EC2 console at

  2. In the navigation pane, under Instances, choose Instances.

  3. In the list of Amazon EC2 instances, choose the instance that you want to use to connect to the VPC endpoint.

  4. In the detail pane at the bottom of the screen, on the Description tab, copy the IP address next to Private IP.

Step 2: Create the security group

In Amazon EC2, a security group lets you control inbound and outbound communications to and from your VPC. In this step, you create a security group that lets the Amazon EC2 instance communicate with SMTP endpoints.

To create the security group

  1. In the navigation pane of the Amazon EC2 console, under Network & Security, choose Security Groups.

  2. Choose Create security group.

  3. Under Basic details, do the following:

    • For Security group name, enter a unique name that identifies the security group.

    • For Description, enter some text that describes the purpose of the security group.

    • For VPC, choose the VPC that you want to use Amazon SES in.

    When you finish, the Basic details section resembles the example in the following image.

                            The Basic details window, with several fields
                                completed. The Security group name field
                                contains the following entry: "VPCEndpointSecurityGroup." The
                                    Description field contains the following:
                                "Security group for Amazon SES VPC endpoint." In the
                                    VPC field, a VPC named "vpc-example" is
  4. Under Inbound rules, choose Add rule.

  5. Under Inbound rule 1, do the following:

    • For Type, choose Custom TCP.

    • For Port range, enter the port number that you want to use to send email. You can use any of the following port numbers: 25, 465, 587, 2465, or 2587.

    • For Source type, choose Custom.

    • For Source, enter the private IP of your Amazon EC2 instance (that is, the address that you found earlier).

  6. (Optional) If you want to add an inbound rule for additional ports, choose Add rule again. Then, repeat the preceding step to add additional ports. You can create rules for any or all of the port numbers listed in the preceding step.

  7. When you finish, choose Create security group.

Step 3: Create the VPC endpoint

In Amazon VPC, a VPC endpoint lets you connect your VPC to supported AWS services. In this case, you configure Amazon VPC so that your Amazon EC2 security group can connect to Amazon SES.

To create the VPC endpoint

  1. Open the Amazon VPC console at

  2. Under Virtual Private Cloud, choose Endpoints.

  3. Choose Create Endpoint.

  4. On the Create Endpoint page, for Service category, choose AWS services.

  5. Under Service Name, use the search box to search for "email", as shown in the following image.

    Choose the email-smtp service for your current AWS Region.

  6. For VPC, choose the Virtual Private Cloud that you want to use.

  7. Under Security group, choose the security group that you created earlier, as shown in the following image.

  8. Choose Create endpoint. Wait approximately 5 minutes while Amazon VPC creates the endpoint. When the endpoint is ready to use, the value in the Status column changes to "available", as shown in the following image.

Step 4: Test the connection to the VPC endpoint

When you complete the process of configuring the VPC endpoint, you should test the connection to ensure that the VPC endpoint is configured properly. You can test the connection by using command-line tools that are included with most operating systems.

To test the connection to the VPC endpoint

  1. Connect to your Amazon EC2 instance.

    For information about connecting to Linux instances, see Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances.

    For information about connecting to Windows instances, see Getting started in the Amazon EC2 User Guide for Windows Instances.

  2. Send a test email by completing the procedure in Using the command line to send email using the Amazon SES SMTP interface.


    You have to verify an email address or domain before you can send email through Amazon SES. For more information about verifying identities, see Verified identities in Amazon SES.