How does Elastic Disaster Recovery interact with interface VPC endpoints?
If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your Amazon VPC and AWS Elastic Disaster Recovery. You can use this connection to allow AWS Elastic Disaster Recovery to communicate with your resources on your VPC without going through the public internet.
Amazon VPC is an AWS service that you can use to launch AWS resources in a virtual network that you define. With a VPC, you have control over your network settings, such the IP address range, subnets, route tables, and network gateways. With VPC endpoints, the routing between the Amazon VPC and AWS services is handled by the AWS network, and you can use IAM policies to control access to service resources.
To connect your VPC to Elastic Disaster Recovery, you define an interface VPC endpoint for Elastic Disaster Recovery. An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported AWS service. The endpoint provides reliable, scalable connectivity to Elastic Disaster Recovery without requiring an internet gateway, network address translation (NAT) instance, or VPN connection. For more information, see What is Amazon VPC in the Amazon VPC User Guide.
Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that facilitates
private communication between AWS services using an elastic network interface with private
IP addresses. For more information, see AWS
PrivateLink
For more information, see Getting Started in the Amazon VPC User Guide.
If the AWS replication agents are installed with a principal using AWSElasticDisasterRecoveryAgentInstallationPolicy and a VPCE policy is used (to scope down access), add the following statement to your policy:
{ "Effect": "Allow", "Principal": "*", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:<region>::*/POST/CreateSessionForDrs" }
