# AWS PrivateLink for DynamoDB
With AWS PrivateLink for DynamoDB, you can provision *interface Amazon VPC endpoints* (interface endpoints) in your virtual private cloud (Amazon VPC). These endpoints are directly accessible from applications that are on premises over VPN and Direct Connect, or in a different AWS Region over [Amazon VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html). Using AWS PrivateLink and interface endpoints, you can simplify private network connectivity from your applications to DynamoDB.
Applications in your VPC do not need public IP addresses to communicate with DynamoDB using VPC interface endpoints for DynamoDB operations. Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your Amazon VPC. Requests to DynamoDB over interface endpoints stay on the Amazon network. You can also access interface endpoints in your Amazon VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (Site-to-Site VPN). For more information about how to connect your Amazon VPC with your on-premises network, see the [Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) and the [AWS Site-to-Site VPN User Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).
For general information about interface endpoints, see [Interface Amazon VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html) in the *AWS PrivateLink Guide*. AWS PrivateLink is also supported for Amazon DynamoDB Streams endpoints. For more information, see [AWS PrivateLink for DynamoDB Streams](privatelink-streams.md).
**Topics**
+ [
## Types of Amazon VPC endpoints for Amazon DynamoDB
](#types-of-vpc-endpoints-for-ddb)
+ [
## Considerations when using AWS PrivateLink for Amazon DynamoDB
](#privatelink-considerations)
+ [
## Creating an Amazon VPC endpoint
](#ddb-creating-vpc)
+ [
## Accessing Amazon DynamoDB interface endpoints
](#accessing-ddb-interface-endpoints)
+ [
## Accessing DynamoDB tables and control API operations from DynamoDB interface endpoints
](#accessing-tables-apis-from-interface-endpoints)
+ [
## Updating an on-premises DNS configuration
](#updating-on-premises-dns-config)
+ [
## Creating an Amazon VPC endpoint policy for DynamoDB
](#creating-vpc-endpoint-policy)
+ [
## Using DynamoDB endpoints with AWS Management Console Private Access
](#ddb-endpoints-private-access)
+ [
# AWS PrivateLink for DynamoDB Streams
](privatelink-streams.md)
+ [
# Using AWS PrivateLink for DynamoDB Accelerator (DAX)
](dax-private-link.md)
## Types of Amazon VPC endpoints for Amazon DynamoDB
You can use two types of Amazon VPC endpoints to access Amazon DynamoDB: *gateway endpoints* and *interface endpoints* (by using AWS PrivateLink). A *gateway endpoint* is a gateway that you specify in your route table to access DynamoDB from your Amazon VPC over the AWS network. *Interface endpoints* extend the functionality of gateway endpoints by using private IP addresses to route requests to DynamoDB from within your Amazon VPC, on premises, or from an Amazon VPC in another AWS Region by using Amazon VPC peering or AWS Transit Gateway. For more information, see [What is Amazon VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) and [Transit Gateway vs Amazon VPC peering](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway-vs-vpc-peering.html).
Interface endpoints are compatible with gateway endpoints. If you have an existing gateway endpoint in the Amazon VPC, you can use both types of endpoints in the same Amazon VPC.
| Gateway endpoints for DynamoDB | Interface endpoints for DynamoDB |
| --- | --- |
| In both cases, your network traffic remains on the AWS network. |
| Use Amazon DynamoDB public IP addresses | Use private IP addresses from your Amazon VPC to access Amazon DynamoDB |
| Do not allow access from on premises | Allow access from on premises |
| Do not allow access from another AWS Region | Allow access from an Amazon VPC endpoint in another AWS Region by using Amazon VPC peering or AWS Transit Gateway |
| Not billed | Billed |
For more information about gateway endpoints, see [Gateway Amazon VPC endpoints](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-gateway.html) in the *AWS PrivateLink Guide*.
## Considerations when using AWS PrivateLink for Amazon DynamoDB
Amazon VPC considerations apply to AWS PrivateLink for Amazon DynamoDB. For more information, see [Interface endpoint considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html#vpce-interface-limitations) and [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html) in the *AWS PrivateLink Guide*. In addition, the following restrictions apply.
AWS PrivateLink for Amazon DynamoDB does not support the following:
+ Transport Layer Security (TLS) 1.1
+ Private and Hybrid Domain Name System (DNS) services
**Important**
Do not create private hosted zones to override DynamoDB endpoint DNS names (such as `dynamodb.region.amazonaws.com` or `*.region.amazonaws.com`) to route traffic to your interface endpoints. DynamoDB DNS configurations may change over time.
Custom DNS overrides are not compatible with these changes and can cause requests to unexpectedly route over public IP addresses instead of your interface endpoints.
To access DynamoDB through AWS PrivateLink, configure your clients to use the Amazon VPC endpoint URL directly (for example, `https://vpce-1a2b3c4d-5e6f.dynamodb.region.vpce.amazonaws.com`).
You can submit up to 50,000 requests per second for each AWS PrivateLink endpoint that you enable.
**Note**
Network connectivity timeouts to AWS PrivateLink endpoints are not within the scope of DynamoDB error responses and need to be appropriately handled by your applications connecting to the PrivateLink endpoints.
## Creating an Amazon VPC endpoint
To create an Amazon VPC interface endpoint, see [ Create an Amazon VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*.
## Accessing Amazon DynamoDB interface endpoints
When you create an interface endpoint, DynamoDB generates two types of endpoint-specific, DynamoDB DNS names: *Regional* and *Zonal*.
+ A *Regional* DNS name includes a unique Amazon VPC endpoint ID, a service identifier, the AWS Region, and `vpce.amazonaws.com` in its name. For example, for Amazon VPC endpoint ID `vpce-1a2b3c4d`, the DNS name generated might be similar to `vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com`.
+ A *Zonal* DNS name includes the Availability Zone—for example, `vpce-1a2b3c4d-5e6f-us-east-1a.dynamodb.us-east-1.vpce.amazonaws.com`. You might use this option if your architecture isolates Availability Zones. For example, you could use it for fault containment or to reduce Regional data transfer costs.
**Note**
To achieve optimal reliability, we recommend deploying your service across a minimum of three availability zones.
## Accessing DynamoDB tables and control API operations from DynamoDB interface endpoints
You can use the AWS CLI or AWS SDKs to access DynamoDB tables and control API operations through DynamoDB interface endpoints.
### AWS CLI examples
To access DynamoDB tables or DynamoDB control API operations through DynamoDB interface endpoints in AWS CLI commands, use the `--region` and `--endpoint-url` parameters.
**Example: Create a VPC endpoint**
```
aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name com.amazonaws.us-east-1.dynamodb \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id
```
**Example: Modify a VPC endpoint**
```
aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-endpoint-id \
--policy-document policy-document \ #example optional parameter
--add-security-group-ids security-group-ids \ #example optional parameter
# any additional parameters needed, see Privatelink documentation for more details
```
**Example: List tables using an endpoint URL**
In the following example, replace the Region `us-east-1` and the DNS name of the VPC endpoint ID `vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
aws dynamodb --region us-east-1 --endpoint https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com list-tables
```
### AWS SDK examples
To access DynamoDB tables or DynamoDB control API operations through DynamoDB interface endpoints when using the AWS SDKs, update your SDKs to the latest version. Then, configure your clients to use an endpoint URL for accessing a table or DynamoDB control API operation through DynamoDB interface endpoints.
------
#### [ SDK for Python (Boto3) ]
**Example: Use an endpoint URL to access a DynamoDB table**
In the following example, replace the Region `us-east-1` and VPC endpoint ID `https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
ddb_client = session.client(
service_name='dynamodb',
region_name='us-east-1',
endpoint_url='https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com'
)
```
------
#### [ SDK for Java 1.x ]
**Example: Use an endpoint URL to access a DynamoDB table**
In the following example, replace the Region `us-east-1` and VPC endpoint ID `https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
//client build with endpoint config
final AmazonDynamoDB dynamodb = AmazonDynamoDBClientBuilder.standard().withEndpointConfiguration(
new AwsClientBuilder.EndpointConfiguration(
"https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com",
Regions.DEFAULT_REGION.getName()
)
).build();
```
------
#### [ SDK for Java 2.x ]
**Example: Use an endpoint URL to access DynamoDB table**
In the following example, replace the Region us-east-1 and VPC endpoint ID https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com with your own information.
```
Region region = Region.US_EAST_1;
dynamoDbClient = DynamoDbClient.builder().region(region)
.endpointOverride(URI.create("https://vpce-1a2b3c4d-5e6f.dynamodb.us-east-1.vpce.amazonaws.com"))
.build()
```
------
## Updating an on-premises DNS configuration
When using endpoint-specific DNS names to access the interface endpoints for DynamoDB, you don’t have to update your on-premises DNS resolver. You can resolve the endpoint-specific DNS name with the private IP address of the interface endpoint from the public DynamoDB DNS domain.
### Using interface endpoints to access DynamoDB without a gateway endpoint or an internet gateway in the Amazon VPC
Interface endpoints in your Amazon VPC can route both in-Amazon VPC applications and on-premises applications to DynamoDB over the Amazon network, as illustrated in the following diagram.
![\[Data flow diagram showing access from on-premises and in-Amazon VPC apps to DynamoDB; by using an interface endpoint and AWS PrivateLink.\]](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/images/PrivateLink-interfaceEndpoints.png)
The diagram illustrates the following:
+ Your on-premises network uses Direct Connect or Site-to-Site VPN to connect to Amazon VPC A.
+ Your applications on-premises and in Amazon VPC A use endpoint-specific DNS names to access DynamoDB through the DynamoDB interface endpoint.
+ On-premises applications send data to the interface endpoint in the Amazon VPC through Direct Connect (or Site-to-Site VPN). AWS PrivateLink moves the data from the interface endpoint to DynamoDB over the AWS network.
+ In-Amazon VPC applications also send traffic to the interface endpoint. AWS PrivateLink moves the data from the interface endpoint to DynamoDB over the AWS network.
### Using gateway endpoints and interface endpoints together in the same Amazon VPC to access DynamoDB
You can create interface endpoints and retain the existing gateway endpoint in the same Amazon VPC, as the following diagram shows. By taking this approach, you allow in-Amazon VPC applications to continue accessing DynamoDB through the gateway endpoint, which is not billed. Then, only your on-premises applications would use interface endpoints to access DynamoDB. To access DynamoDB this way, you must update your on-premises applications to use endpoint-specific DNS names for DynamoDB.
![\[Data-flow diagram showing access to DynamoDB by using gateway endpoints and interface endpoints together.\]](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/images/PL-Image2-InterfaceAndGatewayEP.png)
The diagram illustrates the following:
+ On-premises applications use endpoint-specific DNS names to send data to the interface endpoint within the Amazon VPC through Direct Connect (or Site-to-Site VPN). AWS PrivateLink moves the data from the interface endpoint to DynamoDB over the AWS network.
+ Using default Regional DynamoDB names, in-Amazon VPC applications send data to the gateway endpoint that connects to DynamoDB over the AWS network.
For more information about gateway endpoints, see [Gateway Amazon VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway.html) in the *Amazon VPC User Guide*.
## Creating an Amazon VPC endpoint policy for DynamoDB
You can attach an endpoint policy to your Amazon VPC endpoint that controls access to DynamoDB. The policy specifies the following information:
+ The AWS Identity and Access Management (IAM) principal that can perform actions
+ The actions that can be performed
+ The resources on which actions can be performed
**Topics**
+ [
### Example: Restricting access to a specific table from an Amazon VPC endpoint
](#privatelink-example-restrict-access-to-bucket)
### Example: Restricting access to a specific table from an Amazon VPC endpoint
You can create an endpoint policy that restricts access to only specific DynamoDB tables. This type of policy is useful if you have other AWS services in your Amazon VPC that use tables. The following table policy restricts access to only the `DOC-EXAMPLE-TABLE`. To use this endpoint policy, replace `DOC-EXAMPLE-TABLE` with the name of your table.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Policy1216114807515",
"Statement": [
{ "Sid": "Access-to-specific-table-only",
"Principal": "*",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem"
],
"Effect": "Allow",
"Resource": ["arn:aws:dynamodb:us-east-1:111122223333:table/DOC-EXAMPLE-TABLE",
"arn:aws:dynamodb:us-east-1:111122223333:table/DOC-EXAMPLE-TABLE/*"]
}
]
}
```
------
## Using DynamoDB endpoints with AWS Management Console Private Access
You must set up DNS configuration for DynamoDB and DynamoDB Streams when using VPC endpoints with the [DynamoDB console](https://console.aws.amazon.com/dynamodb) in [AWS Management Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html).
To configure DynamoDB to be accessible in AWS Management Console Private Access, you must create the following two VPC endpoints:
+ `com.amazonaws..dynamodb`
+ `com.amazonaws..dynamodb-streams`
When you create the VPC endpoints, navitage to the Route53 console and create a private hosted zone for DynamoDB using the regional endpoint `dynamodb.us-east-1.amazonaws.com`.
Create the following two alias records in the private hosted zone:
+ `dynamodb..amazonaws.com` that routes traffic to the VPC endpoint `com.amazonaws..dynamodb`.
+ `streams.dynamodb..amazonaws.com` that routes traffic to the VPC endpoint `com.amazonaws..dynamodb-streams`.
# AWS PrivateLink for DynamoDB Streams
With AWS PrivateLink for Amazon DynamoDB Streams, you can provision interface Amazon VPC endpoints (interface endpoints) in your virtual private cloud (Amazon VPC). These endpoints are directly accessible from applications that are on premises over VPN and Direct Connect, or in a different AWS Region over Amazon VPC peering. Using AWS PrivateLink and interface endpoints, you can simplify private network connectivity from your applications to DynamoDB Streams.
Applications in your Amazon VPC do not need public IP addresses to communicate with DynamoDB Streams using Amazon VPC interface endpoints for DynamoDB Streams operations. Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your Amazon VPC. Requests to DynamoDB Streams over interface endpoints stay on the Amazon network. You can also access interface endpoints in your Amazon VPC from on-premises applications through Direct Connect or AWS Virtual Private Network (AWS VPN). For more information about how to connect your AWS Virtual Private Network with your on-premises network, see the [https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) and the [https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).
For general information about interface endpoints, see [Interface Amazon VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) (AWS PrivateLink).
**Note**
Only interface endpoints are supported for DynamoDB Streams. Gateway endpoints are not supported.
**Topics**
+ [
## Considerations when using AWS PrivateLink for Amazon DynamoDB Streams
](#privatelink-streams-considerations)
+ [
## Creating an Amazon VPC endpoint
](#privatelink-streams-vpc-endpoint)
+ [
## Accessing Amazon DynamoDB Streams interface endpoints
](#privatelink-streams-accessing-ddb-interface-endpoints)
+ [
## Accessing DynamoDB Streams API operations from DynamoDB Streams interface endpoints
](#privatelink-streams-accessing-api-operations-from-interface-endpoints)
+ [
## AWS SDK examples
](#privatelink-streams-aws-sdk-examples)
+ [
## Creating an Amazon VPC endpoint policy for DynamoDB Streams
](#privatelink-streams-creating-vpc-endpoint-policy)
+ [
## Using DynamoDB endpoints with AWS Management Console Private Access
](#ddb-streams-endpoints-private-access)
## Considerations when using AWS PrivateLink for Amazon DynamoDB Streams
Amazon VPC considerations apply to AWS PrivateLink for Amazon DynamoDB Streams. For more information, see [interface endpoint considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) and [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html). The following restrictions apply.
AWS PrivateLink for Amazon DynamoDB Streams doesn't support the following:
+ Transport Layer Security (TLS) 1.1
+ Private and Hybrid Domain Name System (DNS) services
**Important**
Do not create private hosted zones to override DynamoDB Streams endpoint DNS names to route traffic to your interface endpoints. DynamoDB DNS configurations may change over time and custom DNS overrides can cause requests to unexpectedly route over public IP addresses instead of your interface endpoints.
To access DynamoDB Streams through AWS PrivateLink, configure your clients to use the Amazon VPC endpoint URL directly (for example, `https://vpce-1a2b3c4d-5e6f.streams.dynamodb.region.vpce.amazonaws.com`).
**Note**
Network connectivity timeouts to AWS PrivateLink endpoints are not within the scope of DynamoDB Streams error responses and need to be appropriately handled by your applications connecting to the AWS PrivateLink endpoints.
## Creating an Amazon VPC endpoint
To create an Amazon VPC interface endpoint, see [ Create an Amazon VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *AWS PrivateLink Guide*.
## Accessing Amazon DynamoDB Streams interface endpoints
When you create an interface endpoint, DynamoDB generates two types of endpoint-specific, DynamoDB Streams DNS names: *Regional* and *Zonal*.
+ A *Regional* DNS name includes a unique Amazon VPC endpoint ID, a service identifier, the AWS Region, and `vpce.amazonaws.com` in its name. For example, for Amazon VPC endpoint ID `vpce-1a2b3c4d`, the DNS name generated might be similar to `vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com`.
+ A *Zonal* DNS name includes the Availability Zone—for example, `vpce-1a2b3c4d-5e6f-us-east-1a.streams.dynamodb.us-east-1.vpce.amazonaws.com`. You might use this option if your architecture isolates Availability Zones. For example, you could use it for fault containment or to reduce Regional data transfer costs.
## Accessing DynamoDB Streams API operations from DynamoDB Streams interface endpoints
You can use the AWS CLI or AWS SDKs to access DynamoDB Streams API operations through DynamoDB Streams interface endpoints.
### AWS CLI examples
To access DynamoDB Streams or API operations through DynamoDB Streams interface endpoints in AWS CLI commands, use the `--region` and `--endpoint-url` parameters.
**Example: Create a VPC endpoint**
```
aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name com.amazonaws.us-east-1.dynamodb-streams \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id
```
**Example: Modify a VPC endpoint**
```
aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-endpoint-id \
--policy-document policy-document \ #example optional parameter
--add-security-group-ids security-group-ids \ #example optional parameter
# any additional parameters needed, see Privatelink documentation for more details
```
**Example: List streams using an endpoint URL**
In the following example, replace the Region `us-east-1` and the DNS name of the VPC endpoint ID `vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
aws dynamodbstreams --region us-east-1 —endpoint https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com list-streams
```
## AWS SDK examples
To access Amazon DynamoDB Streams API operations through DynamoDB Streams interface endpoints when using the AWS SDKs, update your SDKs to the latest version. Then, configure your clients to use an endpoint URL for DynamoDB Streams API operation through DynamoDB Streams interface endpoints.
------
#### [ SDK for Python (Boto3) ]
**Example: Use an endpoint URL to access a DynamoDB stream**
In the following example, replace the Region `us-east-1` and VPC endpoint ID `https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
ddb_streams_client = session.client(
service_name='dynamodbstreams',
region_name='us-east-1',
endpoint_url='https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com'
)
```
------
#### [ SDK for Java 1.x ]
**Example: Use an endpoint URL to access a DynamoDB stream**
In the following example, replace the Region `us-east-1` and VPC endpoint ID `https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
//client build with endpoint config
final AmazonDynamoDBStreams dynamodbstreams = AmazonDynamoDBStreamsClientBuilder.standard().withEndpointConfiguration(
new AwsClientBuilder.EndpointConfiguration(
"https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com",
Regions.DEFAULT_REGION.getName()
)
).build();
```
------
#### [ SDK for Java 2.x ]
**Example: Use an endpoint URL to access DynamoDB stream**
In the following example, replace the Region `us-east-1` and VPC endpoint ID `https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com` with your own information.
```
Region region = Region.US_EAST_1;
dynamoDbStreamsClient = DynamoDbStreamsClient.builder().region(region)
.endpointOverride(URI.create("https://vpce-1a2b3c4d-5e6f.streams.dynamodb.us-east-1.vpce.amazonaws.com"))
.build()
```
------
## Creating an Amazon VPC endpoint policy for DynamoDB Streams
You can attach an endpoint policy to your Amazon VPC endpoint that controls access to DynamoDB Streams. The policy specifies the following information:
+ The AWS Identity and Access Management (IAM) principal that can perform actions
+ The actions that can be performed
+ The resources on which actions can be performed
**Topics**
+ [
### Example: Restricting access to a specific stream from an Amazon VPC endpoint
](#privatelink-streams-example-restrict-access-to-bucket)
### Example: Restricting access to a specific stream from an Amazon VPC endpoint
You can create an endpoint policy that restricts access to only specific DynamoDB Streams. This type of policy is useful if you have other AWS services in your Amazon VPC that use DynamoDB Streams. The following stream policy restricts access to only the stream `2025-02-20T11:22:33.444` attached to `DOC-EXAMPLE-TABLE`. To use this endpoint policy, replace `DOC-EXAMPLE-TABLE` with the name of your table and `2025-02-20T11:22:33.444` with the stream label.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "Policy1216114807515",
"Statement": [
{ "Sid": "Access-to-specific-stream-only",
"Principal": "*",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords"
],
"Effect": "Allow",
"Resource": ["arn:aws:dynamodb:us-east-1:111122223333:table/table-name/stream/2025-02-20T11:22:33.444"]
}
]
}
```
------
**Note**
Gateway endpoints aren't supported in DynamoDB Streams.
## Using DynamoDB endpoints with AWS Management Console Private Access
You must set up DNS configuration for DynamoDB and DynamoDB Streams when using VPC endpoints with the [DynamoDB console](https://console.aws.amazon.com/dynamodb) in [AWS Management Console Private Access](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/console-private-access.html).
To configure DynamoDB to be accessible in AWS Management Console Private Access, you must create the following two VPC endpoints:
+ `com.amazonaws..dynamodb`
+ `com.amazonaws..dynamodb-streams`
When you create the VPC endpoints, navitage to the Route53 console and create a private hosted zone for DynamoDB using the regional endpoint `dynamodb.us-east-1.amazonaws.com`.
Create the following two alias records in the private hosted zone:
+ `dynamodb..amazonaws.com` that routes traffic to the VPC endpoint `com.amazonaws..dynamodb`.
+ `streams.dynamodb..amazonaws.com` that routes traffic to the VPC endpoint `com.amazonaws..dynamodb-streams`.
# Using AWS PrivateLink for DynamoDB Accelerator (DAX)
AWS PrivateLink for DynamoDB Accelerator (DAX) enables you to securely access DAX management APIs such as `CreateCluster`, `DescribeClusters`, and `DeleteCluster` over private IP addresses within your virtual private cloud (VPC). This feature enables you to access DAX services privately from your applications without exposing traffic to the public internet.
DAX PrivateLink supports dual-stack endpoints (`dax.{region}.api.aws`), enabling both IPv4 and IPv6 connectivity. With AWS PrivateLink for DAX, customers can access the service using private DNS names. The dual-stack endpoint support ensures transparent connectivity while maintaining network privacy. This allows you to access DAX through both public internet and VPC endpoints without making any changes to your SDK configuration.
## Considerations when using AWS PrivateLink for DynamoDB Accelerator (DAX)
When implementing AWS PrivateLink for DynamoDB Accelerator (DAX), several important considerations must be taken into account.
Before you set up an interface endpoint for DAX consider the following:
+ DAX interface endpoints only support access to the DAX management APIs within the same AWS Region. You can't use an interface endpoint to access DAX management APIs in other Regions.
+ To access the AWS Management Console privately for DAX management, you may need to create additional VPC endpoints for services like `com.amazonaws.region.console` and related services.
+ You are charged for creating and using an interface endpoint to DAX. For pricing information, see [AWS PrivateLink pricing](https://aws.amazon.com/vpc/pricing/).
## How AWS PrivateLink works with DAX
When you create an interface endpoint for DAX:
1. AWS creates an endpoint network interface in each subnet you enable for the interface endpoint.
1. These are requester-managed network interfaces that serve as entry points for traffic destined for DAX.
1. You can then access DAX through private IP addresses within your VPC.
1. This architecture allows you to use VPC security groups to manage access to the endpoints.
1. Applications can access both DynamoDB and DAX through their respective interface endpoints within a VPC, while also allowing on-premises applications to connect via Direct Connect or VPN.
1. This provides a consistent connectivity model across both services, simplifies architecture, and improves security by keeping traffic within the AWS network.
## Creating Interface Endpoints for DAX
You can create an interface endpoint to connect to DAX using the AWS Management Console, AWS SDK, CloudFormation, or the AWS API.
**To create an interface endpoint for DAX using the console**
1. Navigate to the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Choose **Create Endpoint**.
1. For **Service category**, choose **AWS services** and for **Service Name**, search for and select `com.amazonaws.region.dax`.
1. For **VPC**, select the VPC from which you want to access DAX and for **Subnets**, select the subnets where AWS will create the endpoint network interfaces.
1. For **Security groups**, select or create security groups to associate with the endpoint network interfaces.
1. For **Policy**, keep the default **Full Access** or customize as needed.
1. Select **Enable DNS Name** to enable private DNS for the endpoint. Keep the private DNS name enabled to prevent changes in the SDK configuration. When enabled, your applications can continue using the standard service DNS name (example: `dax.region.amazonaws.com`). AWS creates a private hosted zone in your VPC that resolves this name to your endpoint's private IP address.
**Note**
Use Regional DNS names if required. Using zonal DNS names isn't recommended. Also, select subnets from 3 or more AZs to ensure maximum availability through PrivateLink.
1. Choose **Create endpoint**.
**To create an interface endpoint for DAX using the AWS CLI**
Use the `create-vpc-endpoint` command with the `vpc-endpoint-type` parameter set to `Interface` and the `service-name` parameter set to `com.amazonaws.region.dax`.
```
aws ec2 create-vpc-endpoint \
--vpc-id vpc-ec43eb89 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.dax \
--subnet-ids subnet-abcd1234 subnet-1a2b3c4d \
--security-group-ids sg-1a2b3c4d \
--private-dns-enabled
```
## Additional resources
For more information about AWS PrivateLink and VPC endpoints, see the following resources:
+ [AWS PrivateLink for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/privatelink-interface-endpoints.html)
+ [AWS PrivateLink for DynamoDB Streams](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/privatelink-streams.html)
+ [Connect your VPC to services using AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html)
+ [Simplify private connectivity to DynamoDB with AWS PrivateLink](https://aws.amazon.com/blogs//database/simplify-private-connectivity-to-amazon-dynamodb-with-aws-privatelink)
+ [AWS PrivateLink Whitepaper](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-privatelink.html)