Limitations and restrictions of AWS PrivateLink for AWS Organizations Creating a VPC endpoint Creating a VPC endpoint policy for AWS Organizations

AWS PrivateLink for AWS Organizations

With AWS PrivateLink for AWS Organizations, you can access the AWS Organizations service from within the Virtual Private Cloud (VPC) without having to cross the public internet.

Amazon VPC lets you launch AWS resources in a custom virtual network. You can use a VPC to control your network settings, such as the IP address range, subnets, route tables, and network gateways. For more information about VPCs, see the Amazon VPC User Guide.

To connect your Amazon VPC to AWS Organizations, you must first define an interface VPC endpoint (interface endpoints). Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your VPC. Requests from your VPC to AWS Organizations over interface endpoints stay on the Amazon network.

For general information about interface endpoints, see Access an AWS service using an interface VPC endpoint in the Amazon VPC User Guide.

Topics

Limitations and restrictions of AWS PrivateLink for AWS Organizations
Creating a VPC endpoint
Creating a VPC endpoint policy for AWS Organizations

Limitations and restrictions of AWS PrivateLink for AWS Organizations

VPC limitations apply to AWS PrivateLink for AWS Organizations. For more information, see Access an AWS service using an interface VPC endpoint and AWS PrivateLink quotas in the Amazon VPC User Guide. In addition, the following restrictions apply:

Only available in the us-east-1 region
Doesn’t support Transport Layer Security (TLS) 1.1

Creating a VPC endpoint

You can create an AWS Organizations endpoint in your VPC using the Amazon VPC Console, the AWS Command Line Interface (AWS CLI) or AWS CloudFormation.

For information about creating and configuring an endpoint using the Amazon VPC console or the AWS CLI, see Create a VPC endpoint in the Amazon VPC User Guide. For information about creating and configuring an endpoint using AWS CloudFormation, see the AWS::EC2::VPCEndpoint resource in the AWS CloudFormation User Guide.

When you create an AWS Organizations endpoint, use the following as the service name:


com.amazonaws.us-east-1.organizations

If you require FIPS 140-2 validated cryptographic modules when accessing AWS, use the following AWS Organizations FIPS service name:


com.amazonaws.us-east-1.organizations-fips

Creating a VPC endpoint policy for AWS Organizations

You can attach an endpoint policy to your VPC endpoint that controls access to Organizations. The policy specifies the following information:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

For more information, see Control access to VPC endpoints using endpoint policies in the Amazon VPC User Guide.

Example: VPC endpoint policy for AWS Organizations actions


{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "Organizations:DescribeAccount"
         ],
         "Resource":"*"
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security

IAM and Organizations