This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
Virtual Private Cloud (VPC) Endpoints are used for communication between different AWS Services in one of your Virtual Private Clouds (VPC). The communication only occurs within Amazon, within your VPC - it never goes outside the Amazon network, never goes outside of your VPC, never gets onto the Internet. In this way, this is good from a privacy and security perspective. For example, a Virtual Private Cloud (VPC) Endpoint can be created for services such as
- API Gateway Execute API - com.amazonaws.us-east-1.execute-api
- S3 Bucket - com.amazonaws.us-east-1.s3
- Simple Notification Service (SNS) - com.amazonaws.us-east-1.sns
- Simple Queue Service (SQS) - com.amazonaws.us-east-1.sqs
- et cetera
There are a few different type of VPC Endpoints
- Interface Endpoint (this article) - uses AWS PrivateLink and an Elastic Network Interface (ENI) as the entrypoint for the traffic
- Gateway Endpoint - Create an entry in your Route Table
- Gateway Load Balancer Endpoint
Let's say the VPC Endpoint is going to be used to isolate Simple Notification Service (SNS) request to be in the VPC. Before creating the Interface Endpoint, you should be able to use the aws sns list-topics command to get the list of your Simple Notification Service (SNS) Topics.
~]# aws sns list-topics
{
"Topics": [
{
"TopicArn": "arn:aws:sns:us-east-1:123456789012:my-topic"
}
]
}
By the way, if you include the --debug flag, you should see that under the hood, what is happening here is that a POST request is being made to https://sns.us-east-1.amazonaws.com:443. More on why this matters in a moment.
~]# aws sns list-topics --debug
. . .
2024-05-05 02:51:50,224 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://sns.us-east-1.amazonaws.com/ . . .
2024-05-05 02:51:50,225 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): sns.us-east-1.amazonaws.com:443
The Gateway Endpoint will be associated with a Security Group, so let's create a Security Group using the aws ec2 create-security-group command.
~]$ aws ec2 create-security-group --vpc-id vpc-0a9d4cb29e2748444 --group-name VpcEndpointHttps --description 'allow HTTPS port 443' --tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=VpcEndpointHttps}]' {
"GroupId": "sg-083870552fd33fe48",
"Tags": [
{
"Key": "Name",
"Value": "VpcEndpointHttps"
}
]
}
The aws ec2 describe-subnets command can be used to get the subnet IDs in your VPC.
~]$ aws ec2 describe-subnets --filter "Name=vpc-id,Values=vpc-0a9d4cb29e2748444" | grep "SubnetId"
"SubnetId": "subnet-0f015da3a1e164304",
"SubnetId": "subnet-0d2d8580c46d6d280",
"SubnetId": "subnet-02b9845e7366bdf89",
"SubnetId": "subnet-075d4be5a8a07c818",
The aws ec2 create-vpc-endpoint command can be used to create the Virtual Private Cloud Endpoint.
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0a9d4cb29e2748444 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.sns \
--subnet-ids subnet-0f015da3a1e164304 subnet-0d2d8580c46d6d280 subnet-02b9845e7366bdf89 subnet-075d4be5a8a07c818 \
--security-group-id sg-083870552fd33fe48 \
--tag-specifications 'ResourceType=vpc-endpoint,Tags=[{Key=service,Value=sns}]'
Now, let's try to using the aws sns list-topics command. It should hang, and eventually time out! This is happening because the request is now going to the VPC Endpoint, and the Security Group associated with the VPC Endpoint is not allowing HTTPS requests on port 443.
Let's use the aws ec2 authorize-security-group-ingress command to update the Security Group to allow incoming requests on HTTPS port 443.
aws ec2 authorize-security-group-ingress --group-id sg-083870552fd33fe48 --protocol tcp --port 443 --cidr 0.0.0.0/0
Did you find this article helpful?
If so, consider buying me a coffee over at 