AWS Cloud Operations Blog

Using VPC endpoints for AWS X-Ray

Today, AWS X-Ray announces the general availability of VPC endpoint support, which makes it possible for you to establish a private connection between your VPC and AWS X-Ray. Applications running in your VPC can now communicate with AWS X-Ray to send trace data without going through the public internet. In this post, I will show you how to create and use a VPC endpoint for AWS X-Ray.

Amazon Virtual Private Cloud (Amazon VPC) is an AWS service that you can use to launch AWS resources in a virtual network that you define. When you create a VPC, you use security groups and access control lists (ACLs) to control inbound and outbound traffic. Until now, if you wanted your Amazon Elastic Compute Cloud (Amazon EC2) instances to be able to access AWS X-Ray, you had to use an internet gateway and potentially manage some network address translation (NAT) instances. Today, you can create an interface VPC endpoint in a subnet in the VPC to connect to AWS X-Ray. The endpoint provides reliable, scalable connectivity to AWS X-Ray without requiring an internet gateway, NAT instance, or VPN connection. Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IP addresses. For more information about interface VPC endpoints and AWS PrivateLink, see the AWS PrivateLink for AWS Services blog post.

Create a VPC endpoint for X-Ray

You can create and configure VPC endpoints using the Amazon VPC console, AWS Command Line Interface (AWS CLI), and the Amazon EC2 API, which provides actions for Amazon VPC. Let’s create a VPC endpoint using the console!

  1. Open the Amazon VPC console and choose your AWS Region.
  2. In the left navigation pane, choose Endpoints. If you have already created some VPC endpoints, they will appear in the list. Choose Create Endpoint.

Endpoints page includes an Actions menu, search field, and Create Endpoint button.

Figure 1: Endpoints page in the Amazon VPC console

  1. On the Create Endpoint page, for Service category, choose AWS services.
  2. In the search field, enter com.amazonaws.region.xray.

Figure 2: Create Endpoint page

  1. In Subnets, choose a subnet in your VPC to use the interface endpoint. You’ll create an endpoint network interface in the subnet.

Subnets section of the Create Endpoint page displays subnets by Availability Zone and subnet ID.

Figure 3: Subnets

  1. In Security group, choose security groups to associate with the endpoint network interface.

Security group section of the Create Endpoint page includes options to select or create a security group and a search field.

Figure 4: Select security groups

  1. (Optional) By default, private DNS will be enabled for the endpoint. This means you can make requests to X-Ray using its default DNS host name. You can clear the Enable DNS name checkbox.
  2. (Optional) In Policy, Full Access is enabled by default.

Control access to your X-Ray VPC endpoint

You can use a VPC endpoint policy to control permissions to various actions for X-Ray. A VPC endpoint policy is an AWS Identity and Access Management (IAM) resource policy that you attach to an endpoint when you create or modify the endpoint. If you don’t attach a policy when you create an endpoint, Amazon VPC attaches a default policy for you that allows full access to the service. An endpoint policy doesn’t override or replace IAM user policies or service-specific policies. It’s a separate policy for controlling access from the endpoint to the specified service. Endpoint policies must be written in JSON format.

For example, you can create a policy to only allow PutTraceSegment for X-Ray and deny all other actions, as shown here. This will restrict workloads and services in the VPC to only send trace data to X-Ray and deny other actions like retrieve data, change encryption configuration, or create or update groups. For more information, see Control access to services with VPC endpoints in the Amazon VPC User Guide.

{
   "Version":"2020-10-17"
   "Id":"Policy1415115909152"
   "Statement": [
    {
      "Sid": "PutOnly",
      "Principal": "*",
      "Action": [
        "xray:PutTraceSegments"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Cleanup

To delete the VPC endpoint you created:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Endpoints, and then choose your endpoint.
  3. From Actions, choose Delete Endpoint, and then choose Yes, Delete to confirm.

Conclusion

To start using VPC endpoints for X-Ray, go to the Amazon VPC console and create an endpoint. VPC endpoint support for X-Ray is available in all AWS Regions where X-Ray and interface endpoints are available. For VPC endpoint pricing information, see the AWS PrivateLink pricing page.

About the author

Nikhil Shetty

Nikhil Shetty is a Sr. Product Manager at AWS whose focus is on monitoring distributed applications built using microservices architecture. He is currently working on developing features for the distributed tracing service, AWS X-Ray.