Add or remove subnets Associate security groups Edit the VPC endpoint policy Enable private DNS names Manage tags

Configure an interface endpoint

After you create an interface VPC endpoint, you can update its configuration.

Tasks

Add or remove subnets
Associate security groups
Edit the VPC endpoint policy
Enable private DNS names
Manage tags

Add or remove subnets

You can choose one subnet per Availability Zone for your interface endpoint. If you add a subnet, we create an endpoint network interface in the subnet and assign it a private IP address from the IP address range of the subnet. If you remove a subnet, we delete its endpoint network interface. For more information, see Subnets and Availability Zones.

To change the subnets using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
Choose Actions, Manage subnets.
Select or deselect Availability Zones as needed. For each Availability Zone, select one subnet. By default, we select IP addresses from the subnet IP address ranges and assign them to the endpoint network interfaces. To choose the IP addresses for an endpoint network interface, select Designate IP addresses and enter an IPv4 address from the subnet address range. If the endpoint service supports IPv6, you can also enter an IPv6 address from the subnet address range.

If you specify an IP address for a subnet that already has an endpoint network interface for this VPC endpoint, we replace the endpoint network interface with a new one. This processes temporarily disconnects the subnet and the VPC endpoint.
Choose Modify subnets.

To change the subnets using the command line

modify-vpc-endpoint (AWS CLI)
Edit-EC2VpcEndpoint (Tools for Windows PowerShell)

Associate security groups

You can change the security groups that are associated with the network interfaces for your interface endpoint. The security group rules control the traffic that is allowed to the endpoint network interface from the resources in your VPC.

To change the security groups using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
Choose Actions, Manage security groups.
Select or deselect security groups as needed.
Choose Modify security groups.

To change the security groups using the command line

modify-vpc-endpoint (AWS CLI)
Edit-EC2VpcEndpoint (Tools for Windows PowerShell)

Edit the VPC endpoint policy

If the AWS service supports endpoint policies you can edit the endpoint policy for the endpoint. After you update an endpoint policy, it can take a few minutes for the changes to take effect. For more information, see Endpoint policies.

To change the endpoint policy using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
Choose Actions, Manage policy.
Choose Full Access to allow full access to the service, or choose Custom and attach a custom policy.
Choose Save.

To change the endpoint policy using the command line

modify-vpc-endpoint (AWS CLI)
Edit-EC2VpcEndpoint (Tools for Windows PowerShell)

Enable private DNS names

You can enable private DNS names for your VPC endpoint. To use private DNS names, you must enable both DNS hostnames and DNS resolution for your VPC. After you enable private DNS names, it might take a few minutes for the private IP addresses to become available. The DNS records that we create when you enable private DNS names are private. Therefore, the private DNS name is not publicly resolvable.

To change the private DNS names option using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
Choose Actions, Modify private DNS name.
Select or clear Enable for this endpoint as required.
If the service is Amazon S3, selecting Enable for this endpoint in the previous step also selects Enable private DNS only for inbound endpoint. If you prefer the standard private DNS functionality, clear Enable private DNS only for inbound endpoint. If you do not have a gateway endpoint for Amazon S3 in addition to an interface endpoint for Amazon S3, and you select Enable private DNS only for inbound endpoint, you'll receive an error when you save changes in the next step. For more information, see Private DNS.
Choose Save changes.

To change the private DNS names option using the command line

modify-vpc-endpoint (AWS CLI)
Edit-EC2VpcEndpoint (Tools for Windows PowerShell)

Manage tags

You can tag your interface endpoint to help you identify it or categorize it according to your organization's needs.

To manage tags using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Select the interface endpoint.
Choose Actions, Manage tags.
For each tag to add choose Add new tag and enter the tag key and tag value.
To remove a tag, choose Remove to the right of the tag key and value.
Choose Save.

To manage tags using the command line

create-tags and delete-tags (AWS CLI)
New-EC2Tag and Remove-EC2Tag (Tools for Windows PowerShell)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an interface endpoint

Receive alerts for interface endpoint events