VPC Endpoint

A VPC endpoint is a virtual device that allows you to privately connect EC2 instances within your Virtual Private Cloud (VPC) to supported AWS services and VPC endpoint services powered by PrivateLink without the need for an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP to communicate with resources in the service, and traffic between your VPC and the other service does not leave the Amazon network.

Terraform Name

aws_vpc_endpoint

VPC Endpoint

attributes:

service_name - (Required) The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
vpc_id - (Required) The ID of the VPC in which the endpoint will be used.
auto_accept - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
policy - (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
private_dns_enabled - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
dns_options - (Optional) The DNS options for the endpoint. See dns_options below.
ip_address_type - (Optional) The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
route_table_ids - (Optional) One or more route table IDs. Applicable for endpoints of type Gateway.
subnet_ids - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface.
security_group_ids - (Optional) The ID of one or more security groups to associate with the network interface. Applicable for endpoints of type Interface. If no security groups are specified, the VPC's default security group is associated with the endpoint.
tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
vpc_endpoint_type - (Optional) The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface. Defaults to Gateway.

dns_options

dns_record_ip_type - (Optional) The DNS records created for the endpoint. Valid values are ipv4, dualstack, service-defined, and ipv6.

‍

Associating resources with a

VPC Endpoint

Resources do not "belong" to a

VPC Endpoint

Rather, one or more Security Groups are associated to a resource.

Create

VPC Endpoint

via Terraform:

The following HCL creates an interface VPC endpoint between VPC and EC2 instance

Syntax:

resource "aws_vpc_endpoint" "ec2" {
vpc_id = aws_vpc.main.id
service_name = "com.amazonaws.us-west-2.ec2"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.sg1.id,
]

private_dns_enabled = true
}

Create

VPC Endpoint

via CLI:

Parameters:

create-vpc-endpoint
[--dry-run | --no-dry-run]
[--vpc-endpoint-type <value>]
--vpc-id <value>
--service-name <value>
[--policy-document <value>]
[--route-table-ids <value>]
[--subnet-ids <value>]
[--security-group-ids <value>]
[--ip-address-type <value>]
[--dns-options <value>]
[--client-token <value>]
[--private-dns-enabled | --no-private-dns-enabled]
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-vpc-endpoint \
--vpc-id vpc-1a2b3c4d \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.s3 \
--subnet-ids subnet-7b16de0c \
--security-group-id sg-1a2b3c4d \
--tag-specifications ResourceType=vpc-endpoint,Tags=[{Key=service,Value=S3}]

Costs

The cost of using VPC Endpoints depends on the type of endpoint and the amount of data transferred through the endpoint. Basic data transfer costs for VPC Endpoints start at $0.01 per GB and decrease as the amount of data transferred increases.

Direct Cost

<Region>-VpcEndpoint-Hours

<Region>-VpcEndpoint-Bytes

‍

Indirect Cost

No items found.

Best Practices for

VPC Endpoint

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization