VpcEndpoint
Source:
src/AWS/EC2/VpcEndpoint.ts
A VPC endpoint that connects your VPC privately to an AWS service (or a service behind a Gateway Load Balancer) without traversing the public internet, a NAT gateway, or an internet gateway.
The vpcEndpointType selects how the connection is realized:
"Gateway"— for S3 and DynamoDB; traffic is directed by adding routes to the route tables inrouteTableIds(no hourly cost)."Interface"— for most other AWS services; provisions elastic network interfaces insubnetIds, guarded bysecurityGroupIds, and optionally resolves the service’s public DNS name privately viaprivateDnsEnabled."GatewayLoadBalancer"— routes traffic through a third-party appliance fleet fronted by a Gateway Load Balancer.
Changing vpcId, serviceName, or vpcEndpointType replaces the endpoint;
route tables, subnets, security groups, DNS, and the policy update in place.
Gateway Endpoints
Section titled “Gateway Endpoints”Gateway endpoints target S3 and DynamoDB and work by injecting a prefix-list route into each route table you list, so requests to the service stay on the AWS network.
const s3Endpoint = yield* AWS.EC2.VpcEndpoint("S3Endpoint", { vpcId: vpc.vpcId, serviceName: "com.amazonaws.us-east-1.s3", vpcEndpointType: "Gateway", routeTableIds: [privateRouteTable.routeTableId], tags: { Name: "s3-endpoint" },});Listing the private subnets’ route tables in routeTableIds lets those
subnets reach S3 directly, removing NAT data-processing charges for S3 traffic
and keeping it off the public internet.
Interface Endpoints
Section titled “Interface Endpoints”Interface endpoints place an ENI in each chosen subnet and are reached over private IPs; enabling private DNS lets existing SDK calls resolve to the endpoint transparently.
const secretsEndpoint = yield* AWS.EC2.VpcEndpoint("SecretsEndpoint", { vpcId: vpc.vpcId, serviceName: "com.amazonaws.us-east-1.secretsmanager", vpcEndpointType: "Interface", subnetIds: [privateSubnet.subnetId], securityGroupIds: [endpointSecurityGroup.groupId], privateDnsEnabled: true, ipAddressType: "ipv4", dnsOptions: { dnsRecordIpType: "ipv4", },});The endpoint gets an interface in each subnetIds entry, securityGroupIds
controls who may reach those interfaces, and privateDnsEnabled: true makes
the service’s default DNS name resolve to the endpoint; ipAddressType and
dnsOptions tune the IP family used for the interfaces and their DNS records.
Restricting Access with a Policy
Section titled “Restricting Access with a Policy”const s3Endpoint = yield* AWS.EC2.VpcEndpoint("RestrictedS3Endpoint", { vpcId: vpc.vpcId, serviceName: "com.amazonaws.us-east-1.s3", vpcEndpointType: "Gateway", routeTableIds: [privateRouteTable.routeTableId], policyDocument: JSON.stringify({ Version: "2012-10-17", Statement: [ { Effect: "Allow", Principal: "*", Action: ["s3:GetObject"], Resource: ["arn:aws:s3:::my-bucket/*"], }, ], }),});policyDocument attaches an endpoint policy (JSON) that constrains which
service actions and resources can be reached through the endpoint; omit it to
allow full access to the service.