Types of resource configurations Resource gateway Resource definition Protocol Port ranges Accessing resources Association with service network type Types of service networks Sharing resource configurations through AWS RAM Monitoring

Resource configurations for VPC resources

A resource configuration represents a resource or a group of resources that you want to make accessible to clients in other VPCs and accounts. By defining a resource configuration, you can allow private, secure, unidirectional network connectivity to resources in your VPC from clients in other VPCs and accounts. A resource configuration is tied to a resource gateway through which it receives traffic. For a resource to be accessed from another VPC, it needs to have a resource configuration.

Types of resource configurations
Resource gateway
Resource definition
Protocol
Port ranges
Accessing resources
Association with service network type
Types of service networks
Sharing resource configurations through AWS RAM
Monitoring
Create a resource configuration
Manage associations

Types of resource configurations

A resource configuration can be of several types. The different types help represent different kinds of resources. The types are:

Single resource configuration: Represents an IP address or a domain name. It can be shared independently.
Group resource configuration: It is collection of Child resource configurations. It can be used to represent a group of DNS and IP address endpoints.
Child resource configuration: It is a member of a Group resource configuration. It represents an IP address or a domain name. It can’t be shared independently; it can only be shared as part of a Group. It can be added and removed from a Group seamlessly. When added, its automatically accessible to those who can access the Group.
ARN resource configuration: Represents a supported resource-type that is provisioned by an AWS service. Any Group/Child relationship is automatically taken care of.

The following image shows a single, child, and group resource configuration:

Single, child, and group resource configurations.

Resource gateway

A resource configuration is tied to a resource gateway. A resource gateway is a set of ENIs that serve as a point of ingress into the VPC in which the resource is in. Multiple resource configurations can be tied to the same resource gateway. When clients in other VPCs or accounts access a resource in your VPC, the resource sees traffic coming locally from the resource gateway's IP addresses in that VPC.

Resource definition

In the resource configuration, identify the resource in one of the following ways:

By an Amazon Resource Name (ARN): Supported resource-types that are provisioned by AWS services, such as Amazon RDS databases, can be identified by their ARN.
By a domain-name target: You can use any domain name that is publicly resolvable.
By an IP-address: For IPv4 and IPv6, only IPs in the VPC are supported.

Protocol

When you create a resource configuration you can define the protocols that the resource will support. Currently, only the TCP protocol is supported.

Port ranges

When you create a resource configuration you can define the ports it will accept requests on. Client access on other ports will not be allowed.

Accessing resources

Consumers can access resource configurations directly from their VPC using a VPC endpoint or through a service network. As a consumer, you can enable access from your VPC to a resource configuration that is in your account or that has been shared with you from another account through AWS RAM.

Accessing a resource configuration directly

You can create a AWS PrivateLink VPC endpoint of type resource (resource endpoint) in your VPC to access a resource configuration privately from your VPC. For more information on how to create a resource endpoint, see Accessing VPC resources in the AWS PrivateLinkuser guide.
Accessing a resource configuration through a service network

You can associate a resource configuration to a service network, and connect your VPC to the service network. You can connect your VPC to the service network either through an association or using a AWS PrivateLink service-network VPC endpoint.

For more information on service network associations, see Manage the associations for a VPC Lattice service network.

For more information on service network VPC endpoints, see Access service networks in the AWS PrivateLink user guide.

Association with service network type

When you share a resource configuration with a consumer account, for example, Account-B, through AWS RAM, Account-B can access the resource configuration either directly through a resource VPC endpoint, or through a service network.

To access a resource configuration through a service network, Account-B would have to associate the resource configuration with a service network. Service networks are shareable between accounts. So, Account-B can share their service network (that the resource configuration is associated to) with Account-C, making your resource accessible from Account-C.

In order to prevent such transitive sharing, you can specify that your resource configuration cannot be added to service networks that are shareable between accounts. If you specify this, then Account-B won’t be able to add your resource configuration to service networks that are shared or can be shared with another account in the future.

Types of service networks

When you share a resource configuration with another account, for example Account-B, through AWS RAM, Account-B can access the resources specified in the resource configuration in one of three ways:

Using a VPC endpoint of type resource (resource VPC endpoint).
Using a VPC endpoint of type service network (service network VPC endpoint).
Using a service network VPC association.

For service network VPC endpoint and service network VPC association, the resource configuration would have to be associated with a service network in Account-B. Service networks are shareable between accounts. So, Account-B can share their service network (that contains the resource configuration) with Account-C, making your resource accessible from Account-C. In order to prevent such transitive sharing, you can disallow your resource configuration from being added to service networks that are shareable between accounts. If you disallow this, then Account-B won’t be able to add your resource configuration to a service network that is shared or can be shared with another account.

Resource configurations are integrated with AWS Resource Access Manager. You can share your resource configuration with another account through AWS RAM. When you share a resource configuration with an AWS account, clients in that account can privately access the resource. You can share a resource configuration using a resource share in AWS RAM.

Use the AWS RAM console, to view the resource shares to which you have been added, the shared resources that you can access, and the AWS accounts that have shared resources with you. For more information, see Resources shared with you in the AWS RAM User Guide.

To access a resource from another VPC in the same account as the resource configuration, you don’t need to share the resource configuration through AWS RAM.

Monitoring

You can enable monitoring logs on your resource configuration. You can choose a destination to send the logs to.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Delete a resource gateway

Create a resource configuration