Configuring DynamoDB VPC Endpoints with AWS CloudFormation

Shaun Ewing Technology 0 Comments

VPC Endpoints on Amazon Web Services (AWS) are a service that allows you to create a private connection between your VPC and a service that supports VPC endpoints without being required to traverse a NAT device, proxy server, or other similar service.

Since their launch in May 2015, VPC endpoints have only been available for connectivity to Amazon Simple Storage Service (S3) — their high performance object storage platform.

Just a few weeks ago AWS announced that VPC Endpoints for DynamoDB are now available in public preview. Of course I joined.

All of the documentation for this feature indicates using the console to activate the endpoints, but as I build my environment exclusively with CloudFormation I wanted to see if it was possible to do it here.

The answer is yes.

To get started I created a DynamoDB endpoint resource in my CloudFormation template:

The following resources are defined elsewhere in the template, so adjust to suit your environment:

  • VPC – The VPC resource. You could set this to an existing VPC ID.
  • PublicRouteTable – my public route table.
  • Private(0/1/2)RouteTable – my private route tables. These will be updated with a route to the endpoint.

Of course the primary benefit of a VPC endpoint is the ability to restrict what it can be used for. You could for example attach a policy document that only allows the endpoint to be used to access a specific DynamoDB table.

For example, this resource with attached policy document would restrict access only to the table “arn:aws:dynamodb:ap-southeast-2:123412341234:table/test”:

The AWS Policy Generator is a useful tool that can be used to generate the policies that you need.

With the CloudFormation template complete I executed the revised template, and the endpoint was created as expected.

Configuring DynamoDB VPC Endpoints with AWS CloudFormation was last modified: May 1st, 2017 by Shaun Ewing

Leave a Reply

Your email address will not be published. Required fields are marked *