AWS VPC Endpoints
AWS supports private, public, and arbitrary networks. You can design your network as simple or as complicated as you wish.
Many security opinions require that you have instances running in a network that don’t support Internet access, but what do you do when you still have instances that must gain access to AWS services?
One example: private instances needing access to AWS S3 (Simple Storage Service) resources.
The example used in this code is to allow private instances without Internet access to query the AWS EC2 endpoint. This is useful when using Hashicorp’s Consul directory service, or Vault secure secret storage.
Endpoints provided:
- Amazon EC2 API
- AWS Systems Manager
- Amazon CloudWatch Logs
- Elastic Load Balancing API
- Amazon Kinesis Data Streams
- AWS KMS
- AWS Service Catalog
- Amazon S3
- DynamoDB
And: a list of Endpoint services hosted by other AWS accounts
You can find my example Terraform code on GitHub: aws-vpc-endpoint-example repository.
All code is BSD Licensed.
Books I used:
