Skip to content

Endpoints

There are multiple types of VPC endpoints. This code has currently only been tested with Interface endpoints. Interface endpoints allow you to access AWS services without traversing the internet. So you have better security and a more predictable connection as you remain within the AWS network. In addition they enable you to move some workloads to fully private subnets, i.e. ones that don't have even outbound internet.

NOTE

  • Subnets and security groups referenced by the endpoints must already exist.
  • VPC endpoints will always be attached to the VPC's default security group. Defining a security group here is optional, and will result in the endpoint being attached to both the default security group and the one(s) defined here.
  • You can optionally specify an IPv4 or IPv6 address for each subnet, but the endpoint must first be deployed (terraform apply) so that the subnet association will be created before customizations can be defined for the subnet.

Create Interface Endpoints

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
vpcs = {
    SharedInfra = {
        security_groups = {
            EndpointSG = {
                ingress = {
                    MSSQL = {
                        from_port = 443
                        to_port = 443
                        cidr_ipv4 = "0.0.0.0/0"
                    }
                },
                egress = {
                    Allow_Outbound = {
                        ip_protocol = "-1"
                        cidr_ipv4 = "0.0.0.0/0"
                    }
                }
            }
        }
        subnets = {
            SharedInfraPrivateAZ1 = {
                zone = "us-west-2a"
                block = "10.248.13.0/26"
                route_table = "ngwaz1"
                network_acl = "DevACL"
            }
            SharedInfraPrivateAZ2 = {
                zone = "us-west-2b"
                block = "10.248.13.64/26"
                route_table = "ngwaz2"
                network_acl = "DevACL"
            }
        }
        endpoints = {
            ssm = {
                service_name = "com.amazonaws.us-west-2.ssm"
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {
                        # ipv4 = "10.248.13.54" // don't assign IP until subnet association is created
                    }
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {}
                    SharedInfraPrivateAZ2 = {}
                }
                security_groups = ["EndpointSG"]
            }
            ssmmessages = {
                service_name = "com.amazonaws.us-west-2.ssmmessages"
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {}
                    SharedInfraPrivateAZ2 = {}
                }
                security_groups = ["EndpointSG"]
            }
            ec2messages = {
                service_name = "com.amazonaws.us-west-2.ec2messages"
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {}
                    SharedInfraPrivateAZ2 = {}
                }
                security_groups = ["EndpointSG"]
            }
            ec2 = {
                service_name = "com.amazonaws.us-west-2.ec2"
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {}
                    SharedInfraPrivateAZ2 = {}
                }
                security_groups = ["EndpointSG"]
            }
            ds = {
                service_name = "com.amazonaws.us-west-2.ds"
                vpc_endpoint_type = "Interface"
                private_dns_enabled = true
                subnets = {
                    SharedInfraPrivateAZ1 = {}
                    SharedInfraPrivateAZ2 = {}
                }
                security_groups = ["EndpointSG"]
            }
        }
    }
}