How do I configure security and network ACLs for my interface-based Amazon VPC endpoint for endpoint services?

Last updated: 2019-04-09

I want to create an interface-based Amazon Virtual Private Cloud (Amazon VPC) endpoint to connect to an endpoint service. How do I configure my security groups and network access control lists (ACLs)?

Short Description

When you create an Amazon VPC endpoint interface with AWS PrivateLink, an Elastic Network Interface is created inside of the subnet that you specify. This interface VPC endpoint (interface endpoint) inherits the network ACL of the associated subnet. You must associate a security group with the interface endpoint to protect incoming and outgoing requests.

When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target as if the target was registered by IP address. In this case, the source IP addresses are the private IP addresses of the load balancer nodes. If you have access to the Amazon VPC endpoint service, you must verify that the security group rules and the rules within the network ACL associated with the Network Load Balancer’s targets:

  • Allow communication from the private IP address of the Network Load Balancer
  • Don't allow communication from the IP address of the client or the interface endpoint

To allow communication between clients and the Amazon VPC endpoint, you must create rules within the network ACL associated with the client’s subnet and the subnet associated with the interface endpoint.

Resolution

Find the network ACL associated with your interface endpoint

  1. Sign in to the Amazon VPC console.
  2. Choose Endpoints.
  3. Select your endpoint’s ID from the list.
  4. Choose the Subnets view.
  5. Select the associated subnets, which redirects you to the Subnets section of the Amazon VPC console.
  6. Note the network ACL associated with the subnets.

Find the security group associated with your interface endpoint

  1. Sign in to the Amazon VPC console.
  2. Choose Endpoints.
  3. Select your endpoint’s ID from the list of endpoints.
  4. Choose the Security Groups view.
  5. Note the IDs of the associated security groups.

Configure the security group associated with your client’s interface endpoint

Note: Security groups are stateful. When you define a rule in one direction, return traffic is automatically allowed.

Configure an inbound rule:

  • For Port Range, enter the same port as your endpoint service.
  • For Source, enter the IP address or network of the initiating client.

Note: You don't need to create a rule in the outbound direction of the security group associated with the interface endpoint.

Repeat these steps for each security group associated with your interface endpoint.

Configure the network ACL associated with the interface endpoint

For the network ACL you noted previously, edit the rules.

Configure an inbound rule to allow traffic from the client:

  • For Port Range, enter the same port as your endpoint service.
  • For Source, enter the client’s IP address.

Configure an outbound rule to allow return traffic from the interface endpoint:

  • For Port Range, enter 1024-65535.
  • For Destination, enter the client’s IP address or network.

Note: When you configure the security group and network ACL associated with the client, verify that the outbound rules allow connectivity to the private IP of the endpoint interface. The inbound direction of the client's security group is irrelevant. However, the inbound direction of the client's network ACL must allow TCP ephemeral range 1024-65535. The source IP address is the IP address of the Amazon VPC endpoint interface, because it's the source of the returning traffic.