Especially for security reasons, most production applications run inside a VPC.
But now let’s image such an application that calls S3 or another AWS service. In this case, the call leaves the AWS network and reaches the public Internet, returning back to the AWS service endpoint.
If it sounds complicated, believe us it’s not.
First, we have to check if the service we want to use is supported to create this kind of shortcut:
aws-vault exec cirrusup-prod -- aws ec2 describe-vpc-endpoint-services --region eu-west-1 | grep ServiceName
Then, if the service is supported, we can create the endpoint:
aws-vault exec cirrusup-prod -- aws ec2 create-vpc-endpoint --vpc-id vpc-12abc34d --service-name com.amazonaws.eu-west-1.dynamodb --route-table-ids rtb-7351160a
If you are not familiar with aws-vault, check this post. CLIs are not the single option to enable this feature, another option being the AWS console: just go to the VPC console and you’ll find there the Endpoints section.