AWS VPC Endpoints 内网访问服务清单
概述
VPC Endpoints 允许VPC内的资源在不通过公网的情况下私密访问 AWS 服务,提高安全性并可能降低成本。并非所有AWS服务都提供这种访问方式,本文对支持VPC Endpoints 内网访问的服务/资源进行简单梳理。
AWS 服务 VPC Endpoints 支持列表
Gateway Endpoints (免费)
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon S3 | com.amazonaws.region.s3 |
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html |
| Amazon DynamoDB | com.amazonaws.region.dynamodb |
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-ddb.html |
Interface Endpoints (按小时计费)
计算服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon EC2 | com.amazonaws.region.ec2 |
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html |
| Amazon ECS | com.amazonaws.region.ecs |
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/vpc-endpoints.html |
| Amazon EKS | com.amazonaws.region.eks |
https://docs.aws.amazon.com/eks/latest/userguide/vpc-interface-endpoints.html |
| AWS Lambda | com.amazonaws.region.lambda |
https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html |
| AWS Batch | com.amazonaws.region.batch |
https://docs.aws.amazon.com/batch/latest/userguide/vpc-interface-endpoints.html |
存储服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon EBS | com.amazonaws.region.ebs |
https://docs.aws.amazon.com/ebs/latest/userguide/ebs-apis-vpc-endpoints.html |
| Amazon EFS | com.amazonaws.region.elasticfilesystem |
https://docs.aws.amazon.com/efs/latest/ug/efs-vpc-endpoints.html |
| Amazon FSx | com.amazonaws.region.fsx |
- |
| AWS Storage Gateway | com.amazonaws.region.storagegateway |
https://docs.aws.amazon.com/filegateway/latest/files3/create-vpc-endpoint.html |
数据库服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon RDS | com.amazonaws.region.rds |
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/vpc-interface-endpoints.html |
| Amazon DocumentDB | com.amazonaws.region.rds |
https://docs.aws.amazon.com/documentdb/latest/developerguide/docdb-private-link.html |
| Amazon ElastiCache | com.amazonaws.region.elasticache |
https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/elasticache-privatelink.html |
容器服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon ECR | com.amazonaws.region.ecr.apicom.amazonaws.region.ecr.dkr |
https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html |
| AWS App Runner | com.amazonaws.region.apprunner |
https://docs.aws.amazon.com/apprunner/latest/dg/security-vpce.html |
AI/ML 服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon Bedrock | com.amazonaws.region.bedrockcom.amazonaws.region.bedrock-runtime |
https://docs.aws.amazon.com/bedrock/latest/userguide/usingVPC.html |
| Amazon SageMaker | com.amazonaws.region.sagemaker.apicom.amazonaws.region.sagemaker.runtime |
https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html |
| Amazon Comprehend | com.amazonaws.region.comprehend |
https://docs.aws.amazon.com/comprehend/latest/dg/vpc-interface-endpoints.html |
| Amazon Rekognition | com.amazonaws.region.rekognition |
- |
监控和日志
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon CloudWatch | com.amazonaws.region.monitoring |
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html |
| CloudWatch Logs | com.amazonaws.region.logs |
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html |
| AWS X-Ray | com.amazonaws.region.xray |
- |
安全服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| AWS KMS | com.amazonaws.region.kms |
https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html |
| AWS Secrets Manager | com.amazonaws.region.secretsmanager |
https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html |
| AWS Systems Manager | com.amazonaws.region.ssm |
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html |
| AWS IAM | com.amazonaws.iam |
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_interface_vpc_endpoints.html |
开发工具
| 服务 | Service Name | 文档链接 |
|---|---|---|
| AWS CodeCommit | com.amazonaws.region.codecommit |
https://docs.aws.amazon.com/codecommit/latest/userguide/codecommit-and-interface-VPC.html |
| AWS CodeBuild | com.amazonaws.region.codebuild |
https://docs.aws.amazon.com/codebuild/latest/userguide/use-vpc-endpoints-with-codebuild.html |
| AWS CodeDeploy | com.amazonaws.region.codedeploy |
https://docs.aws.amazon.com/codedeploy/latest/userguide/vpc-endpoints.html |
| AWS CodePipeline | com.amazonaws.region.codepipeline |
https://docs.aws.amazon.com/codepipeline/latest/userguide/vpc-support.html |
分析服务
| 服务 | Service Name | 文档链接 |
|---|---|---|
| Amazon Athena | com.amazonaws.region.athena |
https://docs.aws.amazon.com/athena/latest/ug/interface-vpc-endpoint.html |
| AWS Glue | com.amazonaws.region.glue |
https://docs.aws.amazon.com/glue/latest/dg/vpc-interface-endpoints.html |
| Amazon EMR | com.amazonaws.region.elasticmapreduce |
https://docs.aws.amazon.com/emr/latest/ManagementGuide/interface-vpc-endpoint.html |
| Amazon Kinesis | com.amazonaws.region.kinesis-streams |
- |
重要提示
- Gateway Endpoints (S3, DynamoDB) 是免费的
- Interface Endpoints 按小时收费 + 数据处理费用
- 大多数服务只支持 Interface Endpoints
- 服务名称格式:
com.amazonaws.region.service-name - 某些服务需要多个 endpoints(如 ECR 需要 api 和 dkr 两个)
- 安全组必须允许 HTTPS (443) 流量
- 需要启用 VPC 的 DNS 解析和 DNS 主机名
配置示例:ECR 内网访问
必需的 VPC Endpoints
- ECR API Endpoint:
com.amazonaws.region.ecr.api - ECR Docker Endpoint:
com.amazonaws.region.ecr.dkr - S3 Gateway Endpoint:
com.amazonaws.region.s3(必需,ECR 使用 S3 存储镜像层)
重要的 S3 存储桶 ARN
arn:aws:s3:::prod-region-starport-layer-bucket/*查看可用的 VPC Endpoints
# 查看所有可用的 VPC Endpoint 服务
aws ec2 describe-vpc-endpoint-services --region us-west-2
# 查看特定服务的 VPC Endpoint
aws ec2 describe-vpc-endpoint-services --region us-west-2 --filters Name=service-name,Values=*ecr*
创建VPC Endpotints
# ECR API Endpoint
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.us-west-2.ecr.api \
--vpc-endpoint-type Interface \
--subnet-ids subnet-12345678 subnet-87654321 \
--security-group-ids sg-12345678
# ECR Docker Registry Endpoint
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.us-west-2.ecr.dkr \
--vpc-endpoint-type Interface \
--subnet-ids subnet-12345678 subnet-87654321 \
--security-group-ids sg-12345678
# S3 Gateway Endpoint
aws ec2 create-vpc-endpoint \
--vpc-id vpc-12345678 \
--service-name com.amazonaws.us-west-2.s3 \
--vpc-endpoint-type Gateway \
--route-table-ids rtb-12345678
验证内网访问
# 检查 ECR 是否使用内网
nslookup 123456789012.dkr.ecr.us-west-2.amazonaws.com
# 应该返回私有 IP 地址(10.x.x.x, 172.x.x.x, 或 192.168.x.x)
参考资料
官方文档
- VPC Endpoints 完整服务列表: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
- VPC Endpoints 概述: https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html
- 创建 Interface Endpoints: https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html
- Gateway Endpoints: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
- ECR VPC Endpoints 配置: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html
实践教程
- AWS 知识中心 - Fargate 私有子网: https://repost.aws/knowledge-center/ecs-fargate-tasks-private-subnet
- 私有 Fargate 部署实践: https://dev.to/danquack/private-fargate-deployment-with-vpc-endpoints-1h0p
- ECR Endpoints 错误解决: https://dev.to/dilusha_rasanjana/aws-ecr-with-endpoints-access-errors-4k5j
- VPC Endpoints 成本优化: https://www.kubeblogs.com/reduce-cost-and-improve-security-with-amazon-vpc-endpoints/
iX.
take it easy .
