VpcEndpoint

Provides a VPC Endpoint resource.

NOTE on VPC Endpoints and VPC Endpoint Associations: This provider provides both standalone VPC Endpoint Associations for Route Tables - (an association between a VPC endpoint and a single route_table_id) and Subnets - (an association between a VPC endpoint and a single subnet_id) and a VPC Endpoint resource with route_table_ids and subnet_ids attributes. Do not use the same resource ID in both a VPC Endpoint resource and a VPC Endpoint Association resource. Doing so will cause a conflict of associations and will overwrite the association.

Example Usage

Basic

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
        {
            ServiceName = "com.amazonaws.us-west-2.s3",
            VpcId = aws_vpc.Main.Id,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := ec2.NewVpcEndpoint(ctx, "s3", &ec2.VpcEndpointArgs{
            ServiceName: pulumi.String("com.amazonaws.us-west-2.s3"),
            VpcId:       pulumi.String(aws_vpc.Main.Id),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

s3 = aws.ec2.VpcEndpoint("s3",
    service_name="com.amazonaws.us-west-2.s3",
    vpc_id=aws_vpc["main"]["id"])

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const s3 = new aws.ec2.VpcEndpoint("s3", {
    serviceName: "com.amazonaws.us-west-2.s3",
    vpcId: aws_vpc_main.id,
});

Basic w/ Tags

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var s3 = new Aws.Ec2.VpcEndpoint("s3", new Aws.Ec2.VpcEndpointArgs
        {
            ServiceName = "com.amazonaws.us-west-2.s3",
            Tags = 
            {
                { "Environment", "test" },
            },
            VpcId = aws_vpc.Main.Id,
        });
    }

}

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/ec2"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        _, err := ec2.NewVpcEndpoint(ctx, "s3", &ec2.VpcEndpointArgs{
            ServiceName: pulumi.String("com.amazonaws.us-west-2.s3"),
            Tags: pulumi.StringMap{
                "Environment": pulumi.String("test"),
            },
            VpcId: pulumi.String(aws_vpc.Main.Id),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

s3 = aws.ec2.VpcEndpoint("s3",
    service_name="com.amazonaws.us-west-2.s3",
    tags={
        "Environment": "test",
    },
    vpc_id=aws_vpc["main"]["id"])

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const s3 = new aws.ec2.VpcEndpoint("s3", {
    serviceName: "com.amazonaws.us-west-2.s3",
    tags: {
        Environment: "test",
    },
    vpcId: aws_vpc_main.id,
});

Create a VpcEndpoint Resource

new VpcEndpoint(name: string, args: VpcEndpointArgs, opts?: CustomResourceOptions);

def VpcEndpoint(resource_name, opts=None, auto_accept=None, policy=None, private_dns_enabled=None, route_table_ids=None, security_group_ids=None, service_name=None, subnet_ids=None, tags=None, vpc_endpoint_type=None, vpc_id=None, __props__=None);

func NewVpcEndpoint(ctx *Context, name string, args VpcEndpointArgs, opts ...ResourceOption) (*VpcEndpoint, error)

public VpcEndpoint(string name, VpcEndpointArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args VpcEndpointArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args VpcEndpointArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args VpcEndpointArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

VpcEndpoint Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The VpcEndpoint resource accepts the following input properties:

ServiceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
VpcId string: The ID of the VPC in which the endpoint will be used.
AutoAccept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
Policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
PrivateDnsEnabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
RouteTableIds List<string>: One or more route table IDs. Applicable for endpoints of type Gateway.
SecurityGroupIds List<string>: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
SubnetIds List<string>: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
Tags Dictionary<string, string>: A map of tags to assign to the resource.
VpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.

ServiceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
VpcId string: The ID of the VPC in which the endpoint will be used.
AutoAccept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
Policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
PrivateDnsEnabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
RouteTableIds []string: One or more route table IDs. Applicable for endpoints of type Gateway.
SecurityGroupIds []string: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
SubnetIds []string: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
Tags map[string]string: A map of tags to assign to the resource.
VpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.

serviceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
vpcId string: The ID of the VPC in which the endpoint will be used.
autoAccept boolean: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
privateDnsEnabled boolean: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
routeTableIds string[]: One or more route table IDs. Applicable for endpoints of type Gateway.
securityGroupIds string[]: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
subnetIds string[]: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
tags {[key: string]: string}: A map of tags to assign to the resource.
vpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.

service_name str: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
vpc_id str: The ID of the VPC in which the endpoint will be used.
auto_accept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
policy str: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
private_dns_enabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
route_table_ids List[str]: One or more route table IDs. Applicable for endpoints of type Gateway.
security_group_ids List[str]: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
subnet_ids List[str]: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
tags Dict[str, str]: A map of tags to assign to the resource.
vpc_endpoint_type str: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.

Outputs

All input properties are implicitly available as output properties. Additionally, the VpcEndpoint resource produces the following output properties:

Arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
CidrBlocks List<string>: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
DnsEntries List<VpcEndpointDnsEntry>: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
Id string: The provider-assigned unique ID for this managed resource.
NetworkInterfaceIds List<string>: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
OwnerId string: The ID of the AWS account that owns the VPC endpoint.
PrefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
RequesterManaged bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
State string: The state of the VPC endpoint.

Arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
CidrBlocks []string: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
DnsEntries []VpcEndpointDnsEntry: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
Id string: The provider-assigned unique ID for this managed resource.
NetworkInterfaceIds []string: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
OwnerId string: The ID of the AWS account that owns the VPC endpoint.
PrefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
RequesterManaged bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
State string: The state of the VPC endpoint.

arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
cidrBlocks string[]: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
dnsEntries VpcEndpointDnsEntry[]: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
id string: The provider-assigned unique ID for this managed resource.
networkInterfaceIds string[]: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
ownerId string: The ID of the AWS account that owns the VPC endpoint.
prefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
requesterManaged boolean: Whether or not the VPC Endpoint is being managed by its service - true or false.
state string: The state of the VPC endpoint.

arn str: The Amazon Resource Name (ARN) of the VPC endpoint.
cidr_blocks List[str]: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
dns_entries List[VpcEndpointDnsEntry]: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
id str: The provider-assigned unique ID for this managed resource.
network_interface_ids List[str]: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
owner_id str: The ID of the AWS account that owns the VPC endpoint.
prefix_list_id str: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
requester_managed bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
state str: The state of the VPC endpoint.

Look up an Existing VpcEndpoint Resource

Get an existing VpcEndpoint resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: VpcEndpointState, opts?: CustomResourceOptions): VpcEndpoint

static get(resource_name, id, opts=None, arn=None, auto_accept=None, cidr_blocks=None, dns_entries=None, network_interface_ids=None, owner_id=None, policy=None, prefix_list_id=None, private_dns_enabled=None, requester_managed=None, route_table_ids=None, security_group_ids=None, service_name=None, state=None, subnet_ids=None, tags=None, vpc_endpoint_type=None, vpc_id=None, __props__=None);

func GetVpcEndpoint(ctx *Context, name string, id IDInput, state *VpcEndpointState, opts ...ResourceOption) (*VpcEndpoint, error)

public static VpcEndpoint Get(string name, Input<string> id, VpcEndpointState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
AutoAccept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
CidrBlocks List<string>: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
DnsEntries List<VpcEndpointDnsEntryArgs>: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
NetworkInterfaceIds List<string>: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
OwnerId string: The ID of the AWS account that owns the VPC endpoint.
Policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
PrefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
PrivateDnsEnabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
RequesterManaged bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
RouteTableIds List<string>: One or more route table IDs. Applicable for endpoints of type Gateway.
SecurityGroupIds List<string>: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
ServiceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
State string: The state of the VPC endpoint.
SubnetIds List<string>: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
Tags Dictionary<string, string>: A map of tags to assign to the resource.
VpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.
VpcId string: The ID of the VPC in which the endpoint will be used.

Arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
AutoAccept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
CidrBlocks []string: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
DnsEntries []VpcEndpointDnsEntry: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
NetworkInterfaceIds []string: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
OwnerId string: The ID of the AWS account that owns the VPC endpoint.
Policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
PrefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
PrivateDnsEnabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
RequesterManaged bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
RouteTableIds []string: One or more route table IDs. Applicable for endpoints of type Gateway.
SecurityGroupIds []string: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
ServiceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
State string: The state of the VPC endpoint.
SubnetIds []string: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
Tags map[string]string: A map of tags to assign to the resource.
VpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.
VpcId string: The ID of the VPC in which the endpoint will be used.

arn string: The Amazon Resource Name (ARN) of the VPC endpoint.
autoAccept boolean: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
cidrBlocks string[]: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
dnsEntries VpcEndpointDnsEntry[]: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
networkInterfaceIds string[]: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
ownerId string: The ID of the AWS account that owns the VPC endpoint.
policy string: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
prefixListId string: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
privateDnsEnabled boolean: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
requesterManaged boolean: Whether or not the VPC Endpoint is being managed by its service - true or false.
routeTableIds string[]: One or more route table IDs. Applicable for endpoints of type Gateway.
securityGroupIds string[]: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
serviceName string: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
state string: The state of the VPC endpoint.
subnetIds string[]: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
tags {[key: string]: string}: A map of tags to assign to the resource.
vpcEndpointType string: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.
vpcId string: The ID of the VPC in which the endpoint will be used.

arn str: The Amazon Resource Name (ARN) of the VPC endpoint.
auto_accept bool: Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
cidr_blocks List[str]: The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
dns_entries List[VpcEndpointDnsEntry]: The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
network_interface_ids List[str]: One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
owner_id str: The ID of the AWS account that owns the VPC endpoint.
policy str: A policy to attach to the endpoint that controls access to the service. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
prefix_list_id str: The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
private_dns_enabled bool: Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Defaults to false.
requester_managed bool: Whether or not the VPC Endpoint is being managed by its service - true or false.
route_table_ids List[str]: One or more route table IDs. Applicable for endpoints of type Gateway.
security_group_ids List[str]: The ID of one or more security groups to associate with the network interface. Required for endpoints of type Interface.
service_name str: The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
state str: The state of the VPC endpoint.
subnet_ids List[str]: The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type Interface.
tags Dict[str, str]: A map of tags to assign to the resource.
vpc_endpoint_type str: The VPC endpoint type, Gateway or Interface. Defaults to Gateway.
vpc_id str: The ID of the VPC in which the endpoint will be used.

Supporting Types

VpcEndpointDnsEntry

See the output API doc for this type.

DnsName string: The DNS name.
HostedZoneId string: The ID of the private hosted zone.

DnsName string: The DNS name.
HostedZoneId string: The ID of the private hosted zone.

dnsName string: The DNS name.
hostedZoneId string: The ID of the private hosted zone.

dns_name str: The DNS name.
hosted_zone_id str: The ID of the private hosted zone.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud