For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
GovCloud does not support centralized endpoint VPCs ?
Hi all I'm trying to create a centralized endpoint VPC in my GovCloud Network account. I set up my Landing Zone in US GovCloud using LZA solution - https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/. I encountered the following error.
Central endpoints VPC configured in an unsupported region. Central endpoint VPC regions configured: us-gov-east-1
The following is the part of my network-config.yaml file. I used the same language as shown in the sample code - https://github.com/sonichongtpgsi/landing-zone-accelerator-on-aws/blob/main/reference/sample-configurations/lza-sample-config-healthcare/network-config.yaml:
vpcs:
- name: Network-Endpoints
account: Network-Prod
region: *HOME_REGION
...
interfaceEndpoints:
central: true
defaultPolicy: Default
subnets:
- Network-Endpoints-A
- Network-Endpoints-B
endpoints:
- service: ec2
- service: ec2messages
- service: ssm
...
- name: Network-Prod
...
useCentralEndpoints: true
...
My questions are two fold:
- Does it mean LZA solution does not support centralized endpoint VPCs in GovCloud?
- Or does it mean GovCloud does not support the centralized endpoint VPC in general due to the limitation of endpoints or Private Hosted Zones?
Thanks.
- Language
- English
- Newest
- Most votes
- Most comments
Unfortunately, GovCloud does not support centralized VPC endpoint at present, hence LZA does not support it.
Since GovCloud does not support centralized VPC endpoints, you can consider the following alternatives:
Create Individual VPC Endpoints: Set up the required VPC endpoints individually in each VPC. Although this increases overhead, it is the most straightforward way to manage GovCloud’s limitations.
Use Site-to-Site VPN: Configure Site-to-Site VPN for inter-VPC connectivity, allowing communication between VPCs.
Leverage AWS Direct Connect: Use Direct Connect to establish a dedicated network connection from your on-premises network to AWS GovCloud, which offers security and performance benefits.
Use Transit Gateway: Set up Transit Gateway for centralized management of VPC connectivity, allowing various VPCs to communicate and enabling a manageable network topology.
Resource Allocation for Access Control: Create resources specific to API allocations for controlled access, which enhances security.
VPC Endpoint Services (AWS PrivateLink): Allow service providers to configure their services as VPC endpoints accessible by VPCs in other AWS accounts.
Region-Specific Endpoints: Utilize specific VPC endpoints available in each GovCloud region (e.g., US-West and US-East).
By combining these options, you can maintain compliance with GovCloud's security regulations and create an efficient operational setup. Consider the pros and cons of each solution to determine the best fit for your use case.
Thanks for the reply, @SanghoLEE. But what you mentioned seems same as the general approach to create centralized VPC endpoints. If so, what is preventing creating a centralized VPC endpoints in the GovCloud, and how your solution resolves that?
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 7 months ago
Thank you so much, @Lijan Kuniyil !!!