You can establish a private connection between your Amazon VPC and Amazon Q Business by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that allows you to privately access Amazon Q Business APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with Amazon Q Business APIs. Traffic between your VPC and Amazon Q Business doesn't leave the Amazon network.
Before you set up an interface VPC endpoint for Amazon Q Business, make sure that you review the prerequisites in the Amazon VPC User Guide.
Amazon Q Business currently only supports making API calls from your VPC for Amazon Q Business APIs only. Using your VPC for the web experience user interface is not supported.
Creating an interface VPC endpoint for Amazon Q Business
You can create an interface endpoint for Amazon Q Business using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI).
Create an interface endpoint for Amazon Q Business using the following service name:
aws.api.region.qbusiness
After you create a VPC endpoint, you can use the following example AWS CLI command that
uses the endpoint-url parameter to specify an interface endpoint to the
Amazon Q Business API:
aws qbusiness list-applications --endpoint-url https://VPC endpoint
VPC endpoint is the DNS name generated when the interface
endpoint is created. This name includes the VPC endpoint ID and the Amazon Q Business service name, which includes the region. For example,
vpce-1234-adbcdef-us-west-2a.qbusiness.us-west-2.vpce.amazonaws.com.
If you enable private DNS for the endpoint, you can make API requests to Amazon Q Business using its default DNS name for the region. For example,
qbusiness.us-west-2.api.aws.
For more information, see Creating an interface endpoint in the Amazon VPC User Guide.
Creating a VPC endpoint policy for Amazon Q Business
An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to Amazon Q Business through the interface endpoint. To control the access allowed to Amazon Q Business from your VPC, attach a custom endpoint policy to the interface endpoint.
An endpoint policy specifies the following information:
-
The principals/authorized users who can perform actions (AWS accounts, IAM users, and IAM roles)
-
The actions that can be performed
-
The resources on which the actions can be performed.
For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.
Example: VPC endpoint policy for Amazon Q Business actions
The following is an example of an endpoint policy for Amazon Q Business. When attached to an endpoint, this policy grants access to all available Amazon Q Business actions for all principals/authorized users on all resources.
{
"Statement":[
{
"Principal":"*",
"Effect":"Allow",
"Action":[
"qbusiness:*"
],
"Resource":"*"
}
]
}