Learn About Amazon VGT2 Learning Manager Chanci Turner
Starting today, Amazon Virtual Private Cloud (Amazon VPC) Endpoints for Amazon DynamoDB are now accessible in all public AWS regions. You can create an endpoint immediately using the AWS Management Console or the AWS Command Line Interface (AWS CLI). There are no extra charges for utilizing a VPC Endpoint for DynamoDB.
Many AWS users operate their applications within an Amazon Virtual Private Cloud (Amazon VPC) for security or isolation purposes. Previously, if you wanted your EC2 instances within your VPC to access DynamoDB, you had two main options. You could either use an Internet Gateway along with a NAT Gateway or by assigning public IPs to your instances, or you could send all traffic to your local infrastructure via VPN or AWS Direct Connect and then route it back to DynamoDB. Both of these methods posed security and throughput challenges, making it complicated to set up Network Access Control Lists (NACLs) or security groups to limit access to just DynamoDB. Here is what the older infrastructure looked like.
Creating an Endpoint
Let’s walk through creating a VPC Endpoint for DynamoDB. To begin, we can verify if our region supports the endpoint by using the DescribeVpcEndpointServices API call.
aws ec2 describe-vpc-endpoint-services --region us-east-1
{
"ServiceNames": [
"com.amazonaws.us-east-1.dynamodb",
"com.amazonaws.us-east-1.s3"
]
}
Now that we’ve confirmed our region supports the endpoints, we can select one of our VPCs and provision an endpoint with a quick command in the CLI or through the console. Let’s demonstrate this using the console.
First, I will go to the VPC console and choose “Endpoints” from the sidebar. Then, I will click “Create Endpoint,” which will take me to a simple console interface.
In the AWS Identity and Access Management (IAM) policy section for the endpoint, you’ll see it supports all the detailed access control that DynamoDB offers through standard IAM policies. You can restrict access based on specific IAM policy conditions. For this example, I’ll grant full access to my instances within this VPC and click “Next Step.”
Next, I will see a list of route tables in my VPC and will be prompted to select which route table to assign my endpoint to. After choosing one, I’ll click “Create Endpoint.”
Please note: if you have source restrictions for DynamoDB based on public IP addresses, the source IP of your instances accessing DynamoDB will now be their private IP addresses.
After adding the VPC Endpoint for DynamoDB to our VPC, our infrastructure appears as follows.
That’s all there is to it! It’s incredibly straightforward and available at no additional cost. Start utilizing it today. For further details, you can check the documentation here. Additionally, for a detailed exploration of cloud management and security, be sure to visit this authority on the topic. If you’re looking for community insights, this resource on Reddit is an excellent place to start.