# Interface VPC endpoints
<a name="reference_interface_vpc_endpoints"></a>

If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and AWS Identity and Access Management (IAM) or AWS Security Token Service (AWS STS). You can use this connection to enable IAM or AWS STS to communicate with your resources in your VPC without going through the public internet.

Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, route tables, and network gateways. To connect your VPC to IAM or AWS STS, you define an *interface VPC endpoint* for each service. The endpoint provides reliable, scalable connectivity to IAM or AWS STS without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see [What Is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Introduction.html) in the *Amazon VPC User Guide*.

Interface VPC endpoints are powered by AWS PrivateLink an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information, see [AWS PrivateLink for AWS Services](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html).

The following information is for users of Amazon VPC. For more information, see [Getting Started with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/GetStarted.html) in the *Amazon VPC User Guide*.

**Topics**
+ [VPC endpoint availability](#reference_vpc_endpoint_availability)
+ [Create a VPC endpoint for IAM](reference_iam_vpc_endpoint_create.md)
+ [Create a VPC endpoint for AWS STS](reference_sts_vpc_endpoint_create.md)

## VPC endpoint availability
<a name="reference_vpc_endpoint_availability"></a>

**Important**  
Interface VPC endpoints for IAM can only be created in the Region where the [IAM control plane](disaster-recovery-resiliency.md) is located. If your VPC is in a different Region from the IAM control plane Region, you must use AWS Transit Gateway to allow access to the IAM interface VPC endpoint from another Region. For more information, see [Create a VPC endpoint for IAM](reference_iam_vpc_endpoint_create.md). 

IAM currently supports VPC endpoints in the following Regions:
+ US East (N. Virginia)
+ China (Beijing)
+ AWS GovCloud (US-West)

AWS STS currently supports VPC endpoints in the following Regions:
+ US East (N. Virginia)
+ US East (Ohio)
+ US West (N. California)
+ US West (Oregon)
+ Africa (Cape Town)
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Jakarta)
+ Asia Pacific (Melbourne)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Osaka)
+ Asia Pacific (Seoul)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Tokyo)
+ Canada (Central)
+ Canada West (Calgary)
+ China (Beijing)
+ China (Ningxia)
+ Europe (Frankfurt)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Milan)
+ Europe (Paris)
+ Europe (Spain)
+ Europe (Stockholm)
+ Europe (Zurich)
+ Israel (Tel Aviv)
+ Middle East (Bahrain)
+ Middle East (UAE)
+ South America (São Paulo)
+ AWS GovCloud (US-East)
+ AWS GovCloud (US-West)

# Create a VPC endpoint for IAM
<a name="reference_iam_vpc_endpoint_create"></a>

To start using IAM with your VPC, create an interface VPC endpoint for IAM. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon VPC User Guide*.

Interface VPC endpoints for IAM can only be created in the Region where the [IAM control plane](disaster-recovery-resiliency.md) is located. In commercial AWS Regions, the IAM control plane is located in the US East (N. Virginia) Region (us-east-1). The AWS PrivateLink interface VPC endpoint service name for IAM is `com.amazonaws.iam`. For a list of AWS Regions that support VPC endpoints for IAM, see [VPC endpoint availability](reference_interface_vpc_endpoints.md#reference_vpc_endpoint_availability). 

If your VPC is in a different Region from the IAM control plane Region, you must use AWS Transit Gateway to allow access to the IAM interface VPC endpoint from another Region.

**To access an IAM interface VPC endpoint from a VPC in a different Region using AWS Transit Gateway**

1. Create a transit gateway, or use an existing transit gateway to interconnect your virtual private clouds (VPCs). A transit gateway is required for each Region. For more information, see [Create a transit gateway](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#create-tgw) in the *AWS Transit Gateway Guide*.

1. Create transit gateway VPC attachments to connect each VPC to the transit gateway. For more information, see [Create a transit gateway attachment to a VPC](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpc-attachments.html#create-vpc-attachment) in the *AWS Transit Gateway Guide*.

1. Create a transit gateway VPC peering attachment to route traffic between peered VPCs. For more information, see [Create a peering attachment](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html#tgw-peering-create) in the *AWS Transit Gateway Guide*.

**Note**  
VPC peering connections can also route traffic between peered VPCs, but this method does not scale well with a large number of VPCs. Instead of VPC peering, we recommend AWS Transit Gateway peering attachments which improve VPC and on-premises network management through a scalable central hub. For more information about VPC peering connections, see [Work with VPC peering connections](https://docs.aws.amazon.com/vpc/latest/peering/working-with-vpc-peering.html) in the *Amazon VPC Peering Guide*.

# Create a VPC endpoint for AWS STS
<a name="reference_sts_vpc_endpoint_create"></a>

To start using AWS STS with your VPC, create an interface VPC endpoint for AWS STS. For more information, see [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon VPC User Guide*.

After you create the VPC endpoint, you must use the matching regional endpoint to send your AWS STS requests. AWS STS recommends that you use both the `setRegion` and `setEndpoint` methods to make calls to a Regional endpoint. You can use the `setRegion` method alone for manually enabled Regions, such as Asia Pacific (Hong Kong). In this case, the calls are directed to the STS Regional endpoint. To learn how to manually enable a Region, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*. If you use the `setRegion` method alone for Regions enabled by default, the calls are directed to the global endpoint of `[https://sts.amazonaws.com](https://sts.amazonaws.com)`.

When you use regional endpoints, AWS STS calls other AWS services using either public endpoints or private interface VPC endpoints, whichever are in use. For example, assume that you have created an interface VPC endpoint for AWS STS and have already requested temporary credentials from AWS STS from resources that are located in your VPC. In that case, these credentials begin flowing through the interface VPC endpoint by default. For more information about making Regional requests using AWS STS, see [Manage AWS STS in an AWS Region](id_credentials_temp_enable-regions.md).