How do I configure security groups and network ACLs when creating a VPC interface endpoint for endpoint services?

Last updated: 2022-01-18

I want to create an Amazon Virtual Private Cloud (Amazon VPC) interface endpoint to connect an endpoint service. How do I configure my security groups and network access control lists (ACLs)?

Short description

When you create an Amazon VPC interface endpoint with an endpoint service, an elastic network interface is created inside of the subnet that you specify. This VPC interface endpoint inherits the network ACL of the associated subnet. You must also associate a security group with the interface endpoint to protect incoming traffic.

When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target. The requests are forwarded as if the target was registered by IP address. In this case, the source IP addresses are the private IP addresses of the load balancer nodes. If you have access to the Amazon VPC endpoint service, then verify that:

  • The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes
  • The rules within the network ACL associated with the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes

Resolution

Find the network ACL associated with your interface endpoint

  1. Sign in to the Amazon VPC console.
  2. Choose Endpoints.
  3. Select your endpoint’s ID from the list of endpoints.
  4. Choose the Subnets view.
  5. Select the associated subnets, which redirects you to the Subnets section of the Amazon VPC console.
  6. Note the network ACL associated with the subnets.

Find the security group associated with your interface endpoint

  1. Sign in to the Amazon VPC console.
  2. Choose Endpoints.
  3. Select your endpoint’s ID from the list of endpoints.
  4. Choose the Security Groups view.
  5. Note the IDs of the associated security groups.

Configure the security group associated with the interface endpoint

A security group acts as a virtual firewall for your Elastic Network Interfaces to control inbound and outbound traffic.

Note: Security groups are stateful. When you define a rule in one direction, return traffic is automatically allowed.

Configure an inbound rule:

  • For Port Range, enter the same port as your endpoint service
  • For Source, enter the IP address or network of the initiating client

Note: You don't need to create a rule in the outbound direction of the security group associated with the interface endpoint.

Repeat these steps for each security group associated with your interface endpoint.

Configure the network ACL associated with the interface endpoint

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in subnets.

Note: Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

  1. For the network ACL that you noted previously, edit the rules.
  2. Configure an inbound rule to allow traffic from the client:
    For Port Range, enter the same port as your endpoint service
    For Source, enter the client’s IP address or network
  3. Configure an outbound rule to allow return traffic from the interface endpoint.
    For Port Range, enter 1024-65535
    For Destination, enter the client’s IP address or network

If you have separate network ACLs defined for each subnet, then repeat the steps for each network ACL associated with your interface endpoint.

Note: When configuring the security group of the source client, verify that the outbound rules allow connectivity to the private IP addresses of the interface endpoint. The inbound direction of the client's security group is irrelevant. For the Network ACL of the source client, configure rules as follows:

Inbound rule:

  • For Port Range, enter the ephemeral port range 1024-65535
  • For Source, enter the interface endpoint's private IP address

Outbound rule:

  • For Port Range, enter the same port as your endpoint service
  • For Destination, enter the interface endpoint's private IP address