Creating a control plane AWS PrivateLink endpoint

Control plane access through AWS PrivateLink

Amazon OpenSearch Serverless supports two types of AWS PrivateLink connections for control plane and data plane operations. Control plane operations include the creation and deletion of collections and the management of access policies. Data plane operations are for indexing and querying data within a collection. This page covers the control plane AWS PrivateLink endpoint. For information about data plane VPC endpoints, see Data plane access through AWS PrivateLink.

Creating a control plane AWS PrivateLink endpoint

You can improve the security posture of your VPC by configuring OpenSearch Serverless to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink. This technology enables you to privately access OpenSearch Serverless APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

For more information about AWS PrivateLink and VPC endpoints, see VPC endpoints in the Amazon VPC User Guide.

Considerations

VPC endpoints are supported within the same Region only.
VPC endpoints only support Amazon-provided DNS through Amazon Route 53.
VPC endpoints support endpoint policies to control access to OpenSearch Serverless Collections, Policies and VpcEndpoints.
OpenSearch Serverless supports interface endpoints only. Gateway endpoints are not supported.

Creating the VPC endpoint

To create the control plane VPC endpoint for Amazon OpenSearch Serverless, use the Access an AWS service using an interface VPC endpoint procedure in the Amazon VPC Developer Guide. Create the following endpoint:

com.amazonaws.region.aoss

To create a control plane VPC endpoint using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Endpoints.
Choose Create Endpoint.
For Service category, choose AWS services.
For Services, choose com.amazonaws.region.aoss. For example, com.amazonaws.us-east-1.aoss.
For VPC, choose the VPC in which to create the endpoint.
For Subnets, choose the subnets (Availability Zones) in which to create the endpoint network interfaces.
For Security groups, choose the security groups to associate with the endpoint network interfaces. Ensure HTTPS (port 443) is allowed.
For Policy, choose Full access to allow all operations, or choose Custom to attach a custom policy.
Choose Create endpoint.

Creating an endpoint policy

You can attach an endpoint policy to your VPC endpoint that controls access to Amazon OpenSearch Serverless. The policy specifies the following information:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example VPC endpoint policy for OpenSearch Serverless


{  
  "Version": "2012-10-17",		 	 	   
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Principal": "*",  
      "Action": [  
        "aoss:ListCollections",  
        "aoss:BatchGetCollection"  
      ],  
      "Resource": "*"  
    }  
  ]  
}

Example Restrictive policy allowing only list operations


{  
  "Version": "2012-10-17",		 	 	   
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Principal": "*",  
      "Action": "aoss:ListCollections",  
      "Resource": "*"  
    }  
  ]  
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data plane VPC endpoint

SAML authentication