InterfaceVpcEndpointOptions

class aws_cdk.aws_ec2.InterfaceVpcEndpointOptions(*, service, dns_record_ip_type=None, ip_address_type=None, lookup_supported_azs=None, open=None, private_dns_enabled=None, private_dns_only_for_inbound_resolver_endpoint=None, security_groups=None, service_region=None, subnets=None)

Bases: object

Options to add an interface endpoint to a VPC.

Parameters:

  • service (IInterfaceVpcEndpointService) – The service to use for this interface VPC endpoint.

  • dns_record_ip_type (Optional[VpcEndpointDnsRecordIpType]) – Type of DNS records created for the VPC endpoint. Default: not specified

  • ip_address_type (Optional[VpcEndpointIpAddressType]) – The IP address type for the endpoint. Default: not specified

  • lookup_supported_azs (Optional[bool]) – Limit to only those availability zones where the endpoint service can be created. Setting this to ‘true’ requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false

  • open (Optional[bool]) – Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC’s CIDR range. Default: true

  • private_dns_enabled (Optional[bool]) – Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService

  • private_dns_only_for_inbound_resolver_endpoint (Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint]) – Whether to enable private DNS only for inbound endpoints. Default: not specified

  • security_groups (Optional[Sequence[ISecurityGroup]]) – The security groups to associate with this interface VPC endpoint. Default: - a new security group is created

  • service_region (Optional[str]) – The region where the VPC endpoint service is located. Only needs to be specified for cross-region VPC endpoints. Default: - Same region as the interface VPC endpoint

  • subnets (Union[SubnetSelection, Dict[str, Any], None]) – The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets

ExampleMetadata:

lit=aws-ec2/test/integ.vpc-endpoint.lit.ts infused

Example:

# Add gateway endpoints when creating the VPC
vpc = ec2.Vpc(self, "MyVpc",
    gateway_endpoints={
        "S3": cdk.aws_ec2.GatewayVpcEndpointOptions(
            service=ec2.GatewayVpcEndpointAwsService.S3
        )
    }
)

# Alternatively gateway endpoints can be added on the VPC
dynamo_db_endpoint = vpc.add_gateway_endpoint("DynamoDbEndpoint",
    service=ec2.GatewayVpcEndpointAwsService.DYNAMODB
)

# This allows to customize the endpoint policy
dynamo_db_endpoint.add_to_policy(
    iam.PolicyStatement( # Restrict to listing and describing tables
        principals=[iam.AnyPrincipal()],
        actions=["dynamodb:DescribeTable", "dynamodb:ListTables"],
        resources=["*"]))

# Add an interface endpoint
vpc.add_interface_endpoint("EcrDockerEndpoint",
    service=ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER
)

Attributes

dns_record_ip_type

Type of DNS records created for the VPC endpoint.

Default:

not specified

ip_address_type

The IP address type for the endpoint.

Default:

not specified

lookup_supported_azs

Limit to only those availability zones where the endpoint service can be created.

Setting this to ‘true’ requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work.

Default:

false

open

Whether to automatically allow VPC traffic to the endpoint.

If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC’s CIDR range.

Default:

true

private_dns_enabled

Whether to associate a private hosted zone with the specified VPC.

This allows you to make requests to the service using its default DNS hostname.

Default:

set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService

private_dns_only_for_inbound_resolver_endpoint

Whether to enable private DNS only for inbound endpoints.

Default:

not specified

security_groups

The security groups to associate with this interface VPC endpoint.

Default:

  • a new security group is created

service

The service to use for this interface VPC endpoint.

service_region

The region where the VPC endpoint service is located.

Only needs to be specified for cross-region VPC endpoints.

Default:

  • Same region as the interface VPC endpoint

subnets

The subnets in which to create an endpoint network interface.

At most one per availability zone.

Default:

  • private subnets