Configure an endpoint service - Amazon Virtual Private Cloud

Configure an endpoint service

After you create an endpoint service, you can update its configuration.

Manage permissions

The combination of permissions and acceptance settings help you control which service consumers (AWS principals) can access your endpoint service. For example, you can grant permissions to specific principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.

By default, your endpoint service is not available to service consumers. You must add permissions that allow specific AWS accounts, IAM users, and IAM roles to create an interface VPC endpoint to connect to your endpoint service. To add permissions for an AWS principal, you need its Amazon Resource Name (ARN).

ARNs for AWS principals

AWS account (includes all principals in the account)

arn:aws:iam::account_id:root

IAM user

arn:aws:iam::account_id:user/user_name

IAM role

arn:aws:iam::account_id:role/role_name

All principals in all AWS accounts

*

Consideration

If you grant everyone permission to access the endpoint service and configure the endpoint service to accept all requests, your load balancer will be public even if it has no public IP address.

To manage permissions for your endpoint service using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service and choose the Allow principals tab.

  4. To add permissions, choose Allow principals. For Principals to add, enter the ARN of the principal. To add another principal, choose Add principal. When you are finished adding principals, choose Allow principals.

  5. To remove permissions, select the principal and choose Actions, Delete. When prompted for confirmation, enter delete and then choose Delete.

To add permissions for your endpoint service using the command line

Accept or reject connection requests

The combination of permissions and acceptance settings help you control which service consumers (AWS principals) can access your endpoint service. For example, you can grant permissions to specific principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.

You can configure your endpoint service to accept connection requests automatically. Otherwise, you must accept or reject them manually. If you do not accept a connection request, the service consumer can't access your endpoint service.

You can receive a notification when a connection request is accepted or rejected. For more information, see Receive alerts for endpoint service events.

Consideration

If you grant everyone permission to access the endpoint service and configure the endpoint service to accept all requests, your load balancer will be public even if it has no public IP address.

To modify the acceptance setting using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. Choose Actions, Modify endpoint acceptance setting.

  5. Select or clear Acceptance required.

  6. Choose Save changes

To modify the acceptance setting using the command line

To accept or reject a connection request using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. From the Endpoint connections tab, select the endpoint connection.

  5. To accept the connection request, choose Actions, Accept endpoint connection request. When prompted for confirmation, enter accept and then choose Accept.

  6. To reject the connection request, choose Actions, Reject endpoint connection request. When prompted for confirmation, enter reject and then choose Reject.

To accept or reject a connection request using the command line

Change the load balancer association

You can change the load balancer that is associated with your endpoint service. You can't disassociate a load balancer if there are endpoints connected to your endpoint service.

To change the load balancers for your endpoint service using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. Choose Actions, Associate or disassociate load balancers.

  5. Add or remove load balancers as needed.

  6. Choose Save changes

To change the load balancers for your endpoint service using the command line

Associate a private DNS name

You can associate a private DNS name with your endpoint service. After you associate a private DNS name, you must update the entry for the domain on your DNS server. Before service consumers can use the private DNS name, the service provider must verify that they own the domain. For more information, see Manage DNS names.

To modify an endpoint service private DNS name using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. Choose Actions, Modify private DNS name.

  5. Select Associate a private DNS name with the service and enter the private DNS name.

    • Domain names must use lowercase.

    • You can use wildcards in domain names (for example, *.myexampleservice.com).

  6. Choose Save changes.

  7. The private DNS name is ready for use by service consumers when the verification status is verified. If the verification status changes, new connection requests are denied but existing connections are not affected.

To modify an endpoint service private DNS name using the command line

To initiate the domain verification process using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the endpoint service.

  4. Choose Actions, Verify domain ownership for private DNS name.

  5. When prompted for confirmation, enter verify and then choose Verify.

To initiate the domain verification process using the command line

Modify the supported IP address types

You can change the IP address types that are supported by your endpoint service.

Consideration

To enable your endpoint service to accept IPv6 requests, its Network Load Balancers must use the dualstack IP address type. The targets do not need to support IPv6 traffic. For more information, see IP address type in the User Guide for Network Load Balancers.

To modify the supported IP address types using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the VPC endpoint service.

  4. Choose Actions, Modify supported IP address types.

  5. For Supported IP address types, do one of the following:

    • Select IPv4 – Enable the endpoint service to accept IPv4 requests.

    • Select IPv6 – Enable the endpoint service to accept IPv6 requests.

    • Select IPv4 and IPv6 – Enable the endpoint service to accept both IPv4 and IPv6 requests.

  6. Choose Save changes.

To modify the supported IP address types using the command line

Manage tags

You can tag your resources to help you identify them or categorize them according to your organization's needs.

To manage tags for your endpoint service using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the VPC endpoint service.

  4. Choose Actions, Manage tags.

  5. For each tag to add, choose Add new tag and enter the tag key and tag value.

  6. To remove a tag, choose Remove to the right of the tag key and value.

  7. Choose Save.

To manage tags for your endpoint connections using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the VPC endpoint service and then choose the Endpoint connections tab.

  4. Select the endpoint connection and then choose Actions, Manage tags.

  5. For each tag to add, choose Add new tag and enter the tag key and tag value.

  6. To remove a tag, choose Remove to the right of the tag key and value.

  7. Choose Save.

To manage tags for your endpoint service permissions using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoint services.

  3. Select the VPC endpoint service and then choose the Allow principals tab.

  4. Select the principal and then choose Actions, Manage tags.

  5. For each tag to add, choose Add new tag and enter the tag key and tag value.

  6. To remove a tag, choose Remove to the right of the tag key and value.

  7. Choose Save.

To add and remove tags using the command line