# VPC-ENI in AWS Device Farm
**Warning**
This feature is only available on [private devices](https://docs.aws.amazon.com/devicefarm/latest/developerguide/working-with-private-devices.html). To request private device use on your AWS account, please [contact us](mailto:aws-devicefarm-support@amazon.com). If you already have private devices added to your AWS account, we strongly recommend using this method of VPC connectivity.
AWS Device Farm's VPC-ENI connectivity feature helps customers securely connect to their private endpoints hosted on AWS, on-premise software, or another cloud provider.
You can connect both Device Farm mobile devices and their host machines to an Amazon Virtual Private Cloud (Amazon VPC) environment in the `us-west-2` Region, which enables access to isolated, non-internet-facing services and applications through an [elastic network interface](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html). For more information on VPCs, see the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/).
If your private endpoint or VPC is not in the `us-west-2` Region, you can link it with a VPC in the `us-west-2` Region using solutions such as a [Transit Gateway](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html) or [VPC Peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html). In such situations, Device Farm will create an ENI in a subnet you provide for your `us-west-2` Region VPC, and you'll be responsible for ensuring that a connection can be established between the `us-west-2` Region VPC and the VPC in the other Region.
![\[AWS Device Farm architecture with on-premises and cloud components for mobile app testing.\]](http://docs.aws.amazon.com/devicefarm/latest/developerguide/images/VPC-ENI-Customer-Flow.jpg)
For information on using AWS CloudFormation to automatically create and peer VPCs, see the [VPCPeering templates](https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/solutions/VPCPeering) in the AWS CloudFormation template repository on GitHub.
**Note**
Device Farm doesn't charge anything for creating ENIs in a customer's VPC in `us-west-2`. The cost for cross-Region or external inter-VPC connectivity isn't included in this feature.
Once you configure VPC access, the devices and host machines that you use for your tests won't be able to connect to resources outside of the VPC (e.g., public CDNs) unless there is a NAT gateway that you specify within the VPC. For more information, see [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) in the *Amazon VPC User Guide*.
**Topics**
+ [
# AWS access control and IAM
](vpc-eni-access-control.md)
+ [
# Service-linked roles
](vpc-eni-service-linked-role.md)
+ [
# Prerequisites
](vpc-eni-prerequisites.md)
+ [
# Connecting to Amazon VPC
](connecting-to-amazon-vpc.md)
+ [
# Limits
](vpc-eni-limits.md)
+ [
# Using Amazon VPC endpoint services with Device Farm - Legacy (not recommended)
](amazon-vpc-endpoints.md)
# AWS access control and IAM
AWS Device Farm allows you to use [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) (IAM) to create policies granting or restricting access to Device Farm's features. To use the VPC Connectivity feature with AWS Device Farm, the following IAM Policy is required for the user account or role that you are using to access AWS Device Farm:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"devicefarm:*",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:CreateNetworkInterface"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/devicefarm.amazonaws.com/AWSServiceRoleForDeviceFarm",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "devicefarm.amazonaws.com"
}
}
}
]
}
```
------
To create or update a Device Farm project with a VPC configuration, your IAM policy must allow you to call the following actions against the resources listed in the VPC configuration:
```
"ec2:DescribeVpcs"
"ec2:DescribeSubnets"
"ec2:DescribeSecurityGroups"
"ec2:CreateNetworkInterface"
```
Additionally, your IAM policy must also allow for the creation of the service-linked role:
```
"iam:CreateServiceLinkedRole"
```
**Note**
None of these permissions are required for users who don't use VPC configurations in their projects.
# Service-linked roles
AWS Device Farm uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Device Farm. Service-linked roles are predefined by Device Farm and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Device Farm easier because you don’t have to manually add the necessary permissions. Device Farm defines the permissions of its service-linked roles, and unless defined otherwise, only Device Farm can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your Device Farm resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for Device Farm
Device Farm uses the service-linked role named **AWSServiceRoleForDeviceFarm** – Allows Device Farm to access AWS resources on your behalf.
The AWSServiceRoleForDeviceFarm service-linked role trusts the following services to assume the role:
+ `devicefarm.amazonaws.com`
The role permissions policy allows Device Farm to complete the following actions:
+ For your account
+ Create network interfaces
+ Describe network interfaces
+ Describe VPCs
+ Describe subnets
+ Describe security groups
+ Delete interfaces
+ Modify network interfaces
+ For network interfaces
+ Create tags
+ For EC2 network interfaces managed by Device Farm
+ Create network interface permissions
The full IAM policy reads:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/AWSDeviceFarmManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AWSDeviceFarmManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AWSDeviceFarmManaged": "true"
}
}
}
]
}
```
------
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for Device Farm
When you provide a VPC config for a mobile testing project, you don't need to manually create a service-linked role. When you create your first Device Farm resource in the AWS Management Console, the AWS CLI, or the AWS API, Device Farm creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create your first Device Farm resource, Device Farm creates the service-linked role for you again.
You can also use the IAM console to create a service-linked role with the **Device Farm** use case. In the AWS CLI or the AWS API, create a service-linked role with the `devicefarm.amazonaws.com` service name. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again.
## Editing a service-linked role for Device Farm
Device Farm does not allow you to edit the AWSServiceRoleForDeviceFarm service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.
## Deleting a service-linked role for Device Farm
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.
**Note**
If the Device Farm service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
**To manually delete the service-linked role using IAM**
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForDeviceFarm service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Device Farm service-linked roles
Device Farm supports using service-linked roles in all of the regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).
Device Farm does not support using service-linked roles in every region where the service is available. You can use the AWSServiceRoleForDeviceFarm role in the following regions.
****
| Region name | Region identity | Support in Device Farm |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | No |
| US East (Ohio) | us-east-2 | No |
| US West (N. California) | us-west-1 | No |
| US West (Oregon) | us-west-2 | Yes |
| Asia Pacific (Mumbai) | ap-south-1 | No |
| Asia Pacific (Osaka) | ap-northeast-3 | No |
| Asia Pacific (Seoul) | ap-northeast-2 | No |
| Asia Pacific (Singapore) | ap-southeast-1 | No |
| Asia Pacific (Sydney) | ap-southeast-2 | No |
| Asia Pacific (Tokyo) | ap-northeast-1 | No |
| Canada (Central) | ca-central-1 | No |
| Europe (Frankfurt) | eu-central-1 | No |
| Europe (Ireland) | eu-west-1 | No |
| Europe (London) | eu-west-2 | No |
| Europe (Paris) | eu-west-3 | No |
| South America (São Paulo) | sa-east-1 | No |
| AWS GovCloud (US) | us-gov-west-1 | No |
# Prerequisites
The following list describes some requirements and suggestions to review when creating VPC-ENI configurations:
+ Private devices must be assigned to your AWS Account.
+ You must have an AWS account user or role with permissions to create a Service-linked role. When using Amazon VPC endpoints with Device Farm mobile testing features, Device Farm creates an AWS Identity and Access Management (IAM) service-linked role.
+ Device Farm can connect to VPCs only in the `us-west-2` Region. If you don't have a VPC in the `us-west-2` Region, you need to create one. Then, to access resources in a VPC in another Region, you must establish a peering connection between the VPC in the `us-west-2` Region and the VPC in the other Region. For information on peering VPCs, see the [Amazon VPC Peering Guide](https://docs.aws.amazon.com/vpc/latest/peering/).
You should verify that you have access to your specified VPC when you configure the connection. You must configure certain Amazon Elastic Compute Cloud (Amazon EC2) permissions for Device Farm.
+ DNS resolution is required in the VPC that you use.
+ Once your VPC has been created, you will need the following information about the VPC in the `us-west-2` Region:
+ VPC ID
+ Subnet IDs (private subnets only)
+ Security group IDs
+ You must configure Amazon VPC connections on a per-project basis. At this time, you can configure only one VPC configuration per project. When you configure a VPC, Amazon VPC creates an interface within your VPC and assigns it to the specified subnets and security groups. All future sessions associated with the project will use the configured VPC connection.
+ You cannot use VPC-ENI configurations along with the legacy VPCE feature.
+ We strongly recommend **not updating an existing project** with a VPC-ENI configuration as existing projects may have VPCE settings that persist on the run level. Instead, if you already use the existing VPCE features, use VPC-ENI for all new projects.
# Connecting to Amazon VPC
You can configure and update your project to use Amazon VPC endpoints. The VPC-ENI configuration is configured on a per-project basis. A project can have only one VPC-ENI endpoint at any given time. To configure VPC access for a project, you must know the following details:
+ The VPC ID in `us-west-2` if your app is hosted there or the `us-west-2` VPC ID that connects to some other VPC in a different Region.
+ The applicable security groups to apply to the connection.
+ The subnets that will be associated with the connection. When a session starts, the largest available subnet is used. We recommend having multiple subnets associated with different availability zones to improve the availability posture of your VPC connectivity.
+ When using VPC-ENI, the DNS resolver used by the Device Farm test hosts and devices will be the server provided by DHCP services in the customer subnet. In a default configuration, this will be the VPC's default resolver. Customers wishing to specify custom DNS resolvers may configure a DHCP Option Set in their VPC.
Once you have created your VPC-ENI configuration, you can update its details using the console or CLI using the steps below.
------
#### [ Console ]
1. Sign in to the Device Farm console at [https://console.aws.amazon.com/devicefarm](https://console.aws.amazon.com/devicefarm).
1. On the Device Farm navigation panel, choose **Mobile Device Testing**, then choose **Projects**.
1. Under **Mobile Testing projects**, choose the name of your project from the list.
1. Choose **Project settings**.
1. In the **Virtual Private Cloud (VPC) Settings** section, you can change the `VPC`, `Subnets` (private subnets only), and `Security Groups`.
1. Choose **Save**.
------
#### [ CLI ]
Use the following AWS CLI command to update the Amazon VPC:
```
$ aws devicefarm update-project \
--arn arn:aws:devicefarm:us-west-2:111122223333:project:12345678-1111-2222-333-456789abcdef \
--vpc-config \
securityGroupIds=sg-02c1537701a7e3763,sg-005dadf9311efda25,\
subnetIds=subnet-09b1a45f9cac53717,subnet-09b1a45f9cac12345,\
vpcId=vpc-0238fb322af81a368
```
You can also configure an Amazon VPC when creating your project:
```
$ aws devicefarm create-project \
--name VPCDemo \
--vpc-config \
securityGroupIds=sg-02c1537701a7e3763,sg-005dadf9311efda25,\
subnetIds=subnet-09b1a45f9cac53717,subnet-09b1a45f9cac12345,\
vpcId=vpc-0238fb322af81a368
```
------
# Limits
The following limitations are applicable to the VPC-ENI feature:
+ You can provide up to five security groups in the VPC configuration of a Device Farm project.
+ You can provide up to eight subnets in the VPC configuration of a Device Farm project.
+ When configuring a Device Farm project to work with your VPC, the smallest subnet you can provide must have a minimum of five available IPv4 addresses.
+ Public IP addresses aren’t supported at this time. Instead, we recommend that you use private subnets in your Device Farm projects. If your need public internet access during your tests, use a [ network address translation (NAT) gateway](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-internet). Configuring a Device Farm project with a public subnet doesn't give your tests internet access or a public IP address.
+ VPC-ENI integration only supports private subnets in your VPC.
+ Only outgoing traffic from the service-managed ENI is supported. This means that the ENI cannot receive unsolicited inbound requests from the VPC.
# Using Amazon VPC endpoint services with Device Farm - Legacy (not recommended)
**Warning**
We strongly recommend using the VPC-ENI connectivity described on [this](https://docs.aws.amazon.com/devicefarm/latest/developerguide/vpc-eni.html) page for private endpoint connectivity as VPCE is now considered a legacy feature. VPC-ENI provides more flexibility, simpler configurations, is more cost efficient, and requires significantly less maintenance overhead when compared to the VPCE connectivity method.
**Note**
Using Amazon VPC Endpoint Services with Device Farm is only supported for customers with configured private devices. To enable your AWS account to use this feature with private devices, please [contact us](mailto:aws-devicefarm-support@amazon.com).
Amazon Virtual Private Cloud (Amazon VPC) is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such as the IP address range, subnets, routing tables, and network gateways.
If you use Amazon VPC to host private applications in the US West (Oregon) (`us-west-2`) AWS Region, you can establish a private connection between your VPC and Device Farm. With this connection, you can use Device Farm to test private applications without exposing them through the public internet. To enable your AWS account to use this feature with private devices, [contact us](mailto:aws-devicefarm-support@amazon.com).
To connect a resource in your VPC to Device Farm, you can use the Amazon VPC console to create a VPC endpoint service. This endpoint service lets you provide the resource in your VPC to Device Farm through a Device Farm VPC endpoint. The endpoint service provides reliable, scalable connectivity to Device Farm without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see [VPC endpoint services (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html) in the *AWS PrivateLink Guide*.
**Important**
The Device Farm VPC endpoint feature helps you securely connect private internal services in your VPC to the Device Farm public VPC by using AWS PrivateLink connections. Although the connection is secure and private, that security depends on your protection of your AWS credentials. If your AWS credentials are compromised, an attacker can access or expose your service data to the outside world.
After you create a VPC endpoint service in Amazon VPC, you can use the Device Farm console to create a VPC endpoint configuration in Device Farm. This topic shows you how to create the Amazon VPC connection and the VPC endpoint configuration in Device Farm.
## Before you begin
The following information is for Amazon VPC users in the US West (Oregon) (`us-west-2`) Region, with a subnet in each of the following Availability Zones: us-west-2a, us-west-2b, and us-west-2c.
Device Farm has additional requirements for the VPC endpoint services that you can use it with. When you create and configure a VPC endpoint service to work with Device Farm, make sure that you choose options that meet the following requirements:
+ The Availability Zones for the service must include us-west-2a, us-west-2b, and us-west-2c. The Network Load Balancer that's associated with a VPC endpoint service determines the Availability Zones for that VPC endpoint service. If your VPC endpoint service doesn't show all three of these Availability Zones, you must re-create your Network Load Balancer to enable these three zones, and then reassociate the Network Load Balancer with your endpoint service.
+ The allowed principals for the endpoint service must include the Amazon Resource Name (ARN) of the Device Farm VPC endpoint (service ARN). After you create your endpoint service, add the Device Farm VPC endpoint service ARN to your allow list to give Device Farm permission to access your VPC endpoint service. To get the Device Farm VPC endpoint service ARN, [contact us](mailto:aws-devicefarm-support@amazon.com).
In addition, if you keep the **Acceptance required** setting turned on when you create your VPC endpoint service, you must manually accept each connection request that Device Farm sends to the endpoint service. To change this setting for an existing endpoint service, choose the endpoint service on the Amazon VPC console, choose **Actions**, and then choose **Modify endpoint acceptance setting**. For more information, see [Change the load balancers and acceptance settings](https://docs.aws.amazon.com/vpc/latest/privatelink/modify-endpoint-service.html) in the *AWS PrivateLink Guide*.
The next section explains how to create an Amazon VPC endpoint service that meets these requirements.
## Step 1: Creating a Network Load Balancer
The first step in establishing a private connection between your VPC and Device Farm is to create a Network Load Balancer to route requests to a target group.
------
#### [ New console ]
**To create a Network Load Balancer using the new console**
1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2).
1. In the navigation pane, under **Load balancing**, choose **Load balancers**.
1. Choose **Create load balancer**.
1. Under **Network load balancer**, choose **Create**.
1. On the **Create network load balancer** page, under **Basic configuration**, do the following:
1. Enter a load balancer **Name**.
1. For **Scheme**, choose **Internal**.
1. Under **Network mapping**, do the following:
1. Choose the **VPC** for your target group.
1. Select the following **Mappings**:
+ `us-west-2a`
+ `us-west-2b`
+ `us-west-2c`
1. Under **Listeners and routing**, use the **Protocol** and **Port** options to choose your target group.
**Note**
By default, cross-availability zone load balancing is disabled.
Because the load balancer uses the Availability Zones `us-west-2a`, `us-west-2b`, and `us-west-2c`, it either requires targets to be registered in each of those Availability Zones, or, if you register targets in less than all three zones, it requires that you enable cross-zone load balancing. Otherwise, the load balancer might not work as expected.
1. Choose **Create load balancer**.
------
#### [ Old console ]
**To create a Network Load Balancer using the old console**
1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2).
1. In the navigation pane, under **Load balancing**, choose **load balancers**.
1. Choose **Create load balancer**.
1. Under **Network load balancer**, choose **Create**.
1. On the **Configure load balancer** page, under **Basic configuration**, do the following:
1. Enter a load balancer **Name**.
1. For **Scheme**, choose **Internal**.
1. Under **Listeners**, select the **Protocol** and **Port** that your target group is using.
1. Under **Availability zones**, do the following:
1. Choose the **VPC** for your target group.
1. Select the following **Availability zones**:
+ `us-west-2a`
+ `us-west-2b`
+ `us-west-2c`
1. Choose **Next: configure security settings**.
1. (Optional) Configure your security settings, then choose **Next: configure routing**.
1. On the **Configure Routing** page, do the following:
1. For **Target group**, choose **Existing target group**.
1. For **Name**, choose your target group.
1. Choose **Next: register targets**.
1. On the **Register targets** page, review your targets, then choose **Next: review**.
**Note**
By default, cross-availability zone load balancing is disabled.
Because the load balancer uses the Availability Zones `us-west-2a`, `us-west-2b`, and `us-west-2c`, it either requires targets to be registered in each of those Availability Zones, or, if you register targets in less than all three zones, it requires that you enable cross-zone load balancing. Otherwise, the load balancer might not work as expected.
1. Review your load balancer configuration, then choose **Create**.
------
## Step 2: Creating an Amazon VPC endpoint service
After creating the Network Load Balancer, use the Amazon VPC console to create an endpoint service in your VPC.
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Under **Resources by region**, choose **Endpoint services**.
1. Choose **Create endpoint service**.
1. Do one of the following:
+ If you already have a Network Load Balancer that you want the endpoint service to use, choose it under **Available load balancers**, and then continue to step 5.
+ If you haven't yet created a Network Load Balancer, choose **Create new load balancer**. The Amazon EC2 console opens. Follow the steps in [Creating a Network Load Balancer](#device-farm-create-nlb) beginning with step 3, then continue with these steps in the Amazon VPC console.
1. For **Included availability zones**, verify that `us-west-2a`, `us-west-2b`, and `us-west-2c` appear in the list.
1. If you don't want to manually accept or deny each connection request that is sent to the endpoint service, under **Additional settings**, clear **Acceptance required**. If you clear this check box, the endpoint service automatically accepts each connection request that it receives.
1. Choose **Create**.
1. In the new endpoint service, choose **Allow principals**.
1. [Contact us](mailto:aws-devicefarm-support@amazon.com) to get the ARN of the Device Farm VPC endpoint (service ARN) to add to the allow list for the endpoint service, and then add that service ARN to the allow list for the service.
1. On the **Details** tab for the endpoint service, make a note of the name of the service (**service name**). You need this name when you create the VPC endpoint configuration in the next step.
Your VPC endpoint service is now ready to use with Device Farm.
## Step 3: Creating a VPC endpoint configuration in Device Farm
After you create an endpoint service in Amazon VPC, you can create an Amazon VPC endpoint configuration in Device Farm.
1. Sign in to the Device Farm console at [https://console.aws.amazon.com/devicefarm](https://console.aws.amazon.com/devicefarm).
1. In the navigation pane, choose **Mobile device testing**, then **Private devices**.
1. Choose **VPCE configurations**.
1. Choose **Create VPCE configuration**.
1. Under **Create a new VPCE configuration**, enter a **Name** for the VPC endpoint configuration.
1. For **VPCE service name**, enter the name of the Amazon VPC endpoint service (**service name**) that you noted in the Amazon VPC console. The name looks like `com.amazonaws.vpce.us-west-2.vpce-svc-id`.
1. For **Service DNS name**, enter the service DNS name for the app that you want to test (for example, `devicefarm.com`). Don't specify `http` or `https` before the service DNS name.
The domain name is not accessible through the public internet. In addition, this new domain name, which maps to your VPC endpoint service, is generated by Amazon Route 53 and is available exclusively for you in your Device Farm session.
1. Choose **Save**.
![\[The Create a New VPC Configuration page with sample data\]](http://docs.aws.amazon.com/devicefarm/latest/developerguide/images/aws-device-farm-create-vpce-configuration.png)
## Step 4: Creating a test run
After you save the VPC endpoint configuration, you can use the configuration to create test runs or remotely access sessions. For more information, see [Creating a test run in Device Farm](how-to-create-test-run.md) or [Creating a session](how-to-create-session.md).