# Using Elastic Beanstalk with Amazon VPC
This topic explains the benefits of using VPC endpoints with Elastic Beanstalk and the different types of configurations you can implement.
You can use an [Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/) (Amazon VPC) to create a secure network for your Elastic Beanstalk application and related AWS resources. When you create your environment, you choose which VPC, subnets, and security groups are used for your application instances and load balancer. You can use any VPC configuration that you like as long as it meets the following requirements.
**VPC requirements**
+ **Internet Access** – Instances can have access to the internet through one of the following methods:
+ **Public Subnet** – Instances have a public IP address and use an internet gateway to access the internet.
+ **Private Subnet** – Instances use a NAT device to access the internet.
**Note**
If you configure [VPC endpoints](vpc-vpce.md) in your VPC to connect to both the `elasticbeanstalk` and `elasticbeanstalk-health` services, internet access is optional, and is only required if your application specifically needs it. Without VPC endpoints, your VPC must have access to the internet.
The default VPC that Elastic Beanstalk sets up for you provides internet access.
Elastic Beanstalk doesn't support proxy settings like `HTTPS_PROXY` for configuring a web proxy.
+ **NTP** – Instances in your Elastic Beanstalk environment use Network Time Protocol (NTP) to synchronize the system clock. If instances are unable to communicate on UDP port 123, the clock may go out of sync, causing issues with Elastic Beanstalk health reporting. Ensure that your VPC security groups and network ACLs allow inbound and outbound UDP traffic on port 123 to avoid these issues.
The [elastic-beanstalk-samples](https://github.com/awsdocs/elastic-beanstalk-samples/) repository provides CloudFormation templates that you can use to create a VPC for use with your Elastic Beanstalk environments.
**To create resources with a CloudFormation template**
1. Clone the samples repository or download a template using the links in the [README](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/cfn-templates/README.md).
1. Open the [CloudFormation console](https://console.aws.amazon.com/cloudformation/home).
1. Choose **Create stack**.
1. Choose **Upload a template to Amazon S3**.
1. Choose **Upload file** and upload the template file from your local machine.
1. Choose **Next** and follow the instructions to create a stack with the resources in the template.
When stack creation completes, check the **Outputs** tab to find the VPC ID and subnet IDs. Use these to configure the VPC in the new environment wizard [network configuration category](environments-create-wizard.md#environments-create-wizard-network).
**Topics**
+ [Public VPC](#services-vpc-public)
+ [Public/private VPC](#services-vpc-privatepublic)
+ [Private VPC](#services-vpc-private)
+ [Example: Launching an Elastic Beanstalk application in a VPC with bastion hosts](vpc-bastion-host.md)
+ [Example: Launching an Elastic Beanstalk in a VPC with Amazon RDS](vpc-rds.md)
+ [Using Elastic Beanstalk with VPC endpoints](vpc-vpce.md)
+ [Using endpoint policies to control access with VPC endpoints](vpc-vpce.policy.md)
## Public VPC
**CloudFormation template** – [vpc-public.yaml](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/cfn-templates/vpc-public.yaml)
**Settings (load balanced)**
+ **Load balancer visibility** – Public
+ **Load balancer subnets** – Both public subnets
+ **Instance public IP** – Enabled
+ **Instance subnets** – Both public subnets
+ **Instance security groups** – Add the default security group
**Settings (single instance)**
+ **Instance subnets** – One of the public subnets
+ **Instance security groups** – Add the default security group
A basic *public-only* VPC layout includes one or more public subnets, an internet gateway, and a default security group that allows traffic between resources in the VPC. When you create an environment in the VPC, Elastic Beanstalk creates additional resources that vary depending on the environment type.
**VPC resources**
+ **Single instance** – Elastic Beanstalk creates a security group for the application instance that allows traffic on port 80 from the internet, and assigns the instance an Elastic IP to give it a public IP address. The environment's domain name resolves to the instance's public IP address.
+ **Load balanced** – Elastic Beanstalk creates a security group for the load balancer that allows traffic on port 80 from the internet, and a security group for the application instances that allows traffic from the load balancer's security group. The environment's domain name resolves to the load balancer's public domain name.
This is similar to the way that Elastic Beanstalk manages networking when you use the default VPC. Security in a public subnet depends on the load balancer and instance security groups created by Elastic Beanstalk. It is the least expensive configuration as it does not require a NAT Gateway.
## Public/private VPC
**CloudFormation template** – [vpc-privatepublic.yaml](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/cfn-templates/vpc-privatepublic.yaml)
**Settings (load balanced)**
+ **Load balancer visibility** – Public
+ **Load balancer subnets** – Both public subnets
+ **Instance public IP** – Disabled
+ **Instance subnets** – Both private subnets
+ **Instance security groups** – Add the default security group
For additional security, add private subnets to your VPC to create a *public-private* layout. This layout requires a load balancer and NAT gateway in the public subnets, and lets you run your application instances, database, and any other resources in private subnets. Instances in private subnets can only communicate with the internet through the load balancer and NAT gateway.
## Private VPC
**CloudFormation template** – [vpc-private.yaml](https://github.com/awsdocs/elastic-beanstalk-samples/tree/main/cfn-templates/vpc-private.yaml)
**Settings (load balanced)**
+ **Load balancer visibility** – Private
+ **Load balancer subnets** – Both private subnets
+ **Instance public IP** – Disabled
+ **Instance subnets** – Both private subnets
+ **Instance security groups** – Add the default security group
For internal applications that shouldn't have access from the internet, you can run everything in private subnets and configure the load balancer to be internally facing (change **Load balancer visibility** to **Internal**). This template creates a VPC with no public subnets and no internet gateway. Use this layout for applications that should only be accessible from the same VPC or an attached VPN.
### Running an Elastic Beanstalk environment in a private VPC
When you create your Elastic Beanstalk environment in a private VPC, the environment doesn't have access to the internet. Your application might need access to the Elastic Beanstalk service or other services. Your environment might use enhanced health reporting, and in this case the environment instances send health information to the enhanced health service. And Elastic Beanstalk code on environment instances sends traffic to other AWS services, and other traffic to non-AWS endpoints (for example, to download dependency packages for your application). Here are some steps you might need to take in this case to ensure that your environment works properly.
+ *Configure VPC endpoints for Elastic Beanstalk* – Elastic Beanstalk and its enhanced health service support VPC endpoints, which ensure that traffic to these services stays inside the Amazon network and doesn't require internet access. For more information, see [Using Elastic Beanstalk with VPC endpoints](vpc-vpce.md).
+ *Configure VPC endpoints for additional services* – Elastic Beanstalk instances send traffic to several other AWS services on your behalf: Amazon Simple Storage Service (Amazon S3), Amazon Simple Queue Service (Amazon SQS), AWS CloudFormation, and Amazon CloudWatch Logs. You must configure VPC endpoints for these services too. For detailed information about VPC endpoints, including per-service links, see [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) in the *Amazon VPC User Guide*.
**Note**
Some AWS services, including Elastic Beanstalk, support VPC endpoints in a limited number of AWS Regions. When you design your private VPC solution, verify that Elastic Beanstalk and the other dependent services mentioned here support VPC endpoints in the AWS Region that you choose.
+ *Provide a private Docker image* – In a [Docker](create_deploy_docker.md) environment, code on the environment's instances might try to pull your configured Docker image from the internet during environment creation and fail. To avoid this failure, [build a custom Docker image](single-container-docker-configuration.md#single-container-docker-configuration.dockerfile) on your environment, or use a Docker image stored in [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/) (Amazon ECR) and [configure a VPC endpoint for the Amazon ECR service](https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html).
+ *Enable DNS names* – Elastic Beanstalk code on environment instances sends traffic to all AWS services using their public endpoints. To ensure that this traffic goes through, choose the **Enable DNS name** option when you configure all interface VPC endpoints. This adds a DNS entry in your VPC that maps the public service endpoint to the interface VPC endpoint.
**Important**
If your VPC isn't private and has public internet access, and if **Enable DNS name** is disabled for any VPC endpoint, traffic to the respective service travels through the public internet. This is probably not what you intend. It's easy to detect this issue with a private VPC, because it prevents this traffic from going through and you receive errors. However, with a public facing VPC, you get no indication.
+ *Include application dependencies* – If your application has dependencies such as language runtime packages, it might try to download and install them from the internet during environment creation and fail. To avoid this failure, include all dependency packages in your application's source bundle.
+ *Use a current platform version* – Be sure that your environment uses a platform version that was released on February 24, 2020 or later. Specifically, use a platform version that was released in or after one of these two updates: [Linux Update 2020-02-28](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2020-02-28-linux.html), [Windows Update 2020-02-24](https://docs.aws.amazon.com/elasticbeanstalk/latest/relnotes/release-2020-02-24-windows.html).
**Note**
The reason for needing an updated platform version is that older versions had an issue that would prevent DNS entries created by the **Enable DNS name** option from working properly for Amazon SQS.
# Example: Launching an Elastic Beanstalk application in a VPC with bastion hosts
This section explains how to deploy an Elastic Beanstalk application inside a VPC using a bastion host and why you would implement this topology.
If your Amazon EC2 instances are located inside a private subnet, you will not be able to connect to them remotely. To connect to your instances, you can set up bastion servers in the public subnet to act as proxies. For example, you can set up SSH port forwarders or RDP gateways in the public subnet to proxy the traffic going to your database servers from your own network. This section provides an example of how to create a VPC with a private and public subnet. The instances are located inside the private subnet, and the bastion host, NAT gateway, and load balancer are located inside the public subnet. Your infrastructure will look similar to the following diagram.
![\[Diagram of Elastic Beanstalk and VPC topology with bastion host.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/aeb-vpc-bastion-topo-ngw.png)
To deploy an Elastic Beanstalk application inside a VPC using a bastion host, complete the steps described in the following subsections.
**Topics**
+ [Create a VPC with a public and private subnet](#vpc-bastion-host-create)
+ [Create and configure the bastion host security group](#vpc-bastion-create-host-sg)
+ [Update the instance security group](#vpc-bastion-update-instance-sg)
+ [Create a bastion host](#vpc-bastion-host-launch)
## Create a VPC with a public and private subnet
Complete all of the procedures in [Public/private VPC](vpc.md#services-vpc-privatepublic). When deploying the application, you must specify an Amazon EC2 key pair for the instances so you can connect to them remotely. For more information about how to specify the instance key pair, see [The Amazon EC2 instances for your Elastic Beanstalk environment](using-features.managing.ec2.md).
## Create and configure the bastion host security group
Create a security group for the bastion host, and add rules that allow inbound SSH traffic from the Internet, and outbound SSH traffic to the private subnet that contains the Amazon EC2 instances.
**To create the bastion host security group**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Security Groups**.
1. Choose **Create Security Group**.
1. In the **Create Security Group** dialog box, enter the following and choose **Yes, Create**.
**Name tag** (Optional)
Enter a name tag for the security group.
**Group name**
Enter the name of the security group.
**Description**
Enter a description for the security group.
**VPC**
Select your VPC.
The security group is created and appears on the **Security Groups** page. Notice that it has an ID (e.g., `sg-xxxxxxxx`). You might have to turn on the **Group ID** column by clicking **Show/Hide** in the top right corner of the page.
**To configure the bastion host security group**
1. In the list of security groups, select the check box for the security group you just created for your bastion host.
1. On the **Inbound Rules** tab, choose **Edit**.
1. If needed, choose **Add another rule**.
1. If your bastion host is a Linux instance, under **Type**, select **SSH**.
If your bastion host is a Windows instance, under **Type**, select **RDP**.
1. Enter the desired source CIDR range in the **Source** field and choose **Save**.
![\[Bastion host security group\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/vpc-bh-sg-inbound.png)
1. On the **Outbound Rules** tab, choose **Edit**.
1. If needed, choose **Add another rule**.
1. Under **Type**, select the type that you specified for the inbound rule.
1. In the **Source** field, enter the CIDR range of the subnet of the hosts in the VPC's private subnet.
To find it:
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Subnets**.
1. Note the value under **IPv4 CIDR** for each **Availability Zone** in which you have hosts that you want the bastion host to bridge to.
**Note**
If you have hosts in multiple availability zones, create an outbound rule for each one of these availability zones.
![\[VPC subnets\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/vpc-subnets.png)
1. Choose **Save**.
## Update the instance security group
By default, the security group you created for your instances does not allow incoming traffic. While Elastic Beanstalk will modify the default group for the instances to allow SSH traffic, you must modify your custom instance security group to allow RDP traffic if your instances are Windows instances.
**To update the instance security group for RDP**
1. In the list of security groups, select the check box for the instance security group.
1. On the **Inbound** tab, choose **Edit**.
1. If needed, choose **Add another rule**.
1. Enter the following values, and choose **Save**.
**Type**
`RDP`
**Protocol**
`TCP`
**Port Range**
`3389`
**Source**
Enter the ID of the bastion host security group (e.g., `sg-8a6f71e8`) and choose **Save**.
## Create a bastion host
To create a bastion host, you launch an Amazon EC2 instance in your public subnet that will act as the bastion host.
For more information about setting up a bastion host for Windows instances in the private subnet, see [ Controlling Network Access to EC2 Instances Using a Bastion Server ](https://aws.amazon.com/blogs/security/controlling-network-access-to-ec2-instances-using-a-bastion-server/).
For more information about setting up a bastion host for Linux instances in the private subnet, see [ Securely Connect to Linux Instances Running in a Private Amazon VPC ](https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/).
# Example: Launching an Elastic Beanstalk in a VPC with Amazon RDS
This section walks you through the tasks to deploy an Elastic Beanstalk application with Amazon RDS in a VPC using a NAT gateway.
Your infrastructure will look similar to the following diagram.
![\[Diagram of Elastic Beanstalk and VPC topology with Amazon RDS.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/aeb-vpc-rds-topo-ngw.png)
**Note**
If you haven't used a DB instance with your application before, try [adding one to a test environment](using-features.managing.db.md), and [connecting to an external DB instance](AWSHowTo.RDS.md) before adding a VPC configuration to the mix.
## Create a VPC with a public and private subnet
You can use the [Amazon VPC console](https://console.aws.amazon.com/vpc/) to create a VPC.
**To create a VPC**
1. Sign in to the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **VPC Dashboard**. Then choose **Create VPC**.
1. Choose **VPC with Public and Private Subnets**, and then choose **Select**.
![\[Choose VPC with Public and Private Subnets, then choose Select.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/Case2_Wizard_Page2.png)
1. Your Elastic Load Balancing load balancer and your Amazon EC2 instances must be in the same Availability Zone so they can communicate with each other. Choose the same Availability Zone from each **Availability Zone** list.
![\[Choose the same Availability Zones for your private and public subnets.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/Case2_Wizard_Confirmation2.png)
1. Choose an Elastic IP address for your NAT gateway.
1. Choose **Create VPC**.
The wizard begins to create your VPC, subnets, and internet gateway. It also updates the main route table and creates a custom route table. Finally, the wizard creates a NAT gateway in the public subnet.
**Note**
You can choose to launch a NAT instance in the public subnet instead of a NAT gateway. For more information, see [Scenario 2: VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.
1. After the VPC is successfully created, you get a VPC ID. You need this value for the next step. To view your VPC ID, choose **Your VPCs** in the left pane of the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
![\[The Amazon VPC console displays your VPC ID.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/aeb-vpc-id.png)
## Create a DB subnet group
A DB subnet group for a VPC is a collection of subnets (typically private) that you can designate for your backend RDS DB instances. Each DB subnet group should have at least one subnet for every Availability Zone in a given AWS Region. To learn more, see [Creating a Subnet in Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet).
**Create a DB subnet group**
1. Open the [Amazon RDS console](https://console.aws.amazon.com/rds/).
1. In the navigation pane, choose **Subnet groups**.
1. Choose **Create DB Subnet Group**.
1. Choose **Name**, and then type the name of your DB subnet group.
1. Choose **Description**, and then describe your DB subnet group.
1. For **VPC**, choose the ID of the VPC that you created.
1. In **Add subnets**, choose **Add all the subnets related to this VPC**.
![\[Add all the subnets related to your VPC.\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/aeb-vpc-rds-addsubnets.png)
1. When you are finished, choose **Create**.
Your new DB subnet group appears in the Subnet groups list of the Amazon RDS console. You can choose it to see details, such as all of the subnets associated with this group, in the details pane at the bottom of the page.
## Deploy to Elastic Beanstalk
After you set up your VPC, you can create your environment inside it and deploy your application to Elastic Beanstalk. You can do this using the Elastic Beanstalk console, or you can use the AWS toolkits, AWS CLI, EB CLI, or Elastic Beanstalk API. If you use the Elastic Beanstalk console, you just need to upload your `.war` or `.zip` file and select the VPC settings inside the wizard. Elastic Beanstalk then creates your environment inside your VPC and deploys your application. Alternatively, you can use the AWS toolkits, AWS CLI, EB CLI, or Elastic Beanstalk API to deploy your application. To do this, you need to define your VPC option settings in a configuration file and deploy this file with your source bundle. This topic provides instructions for both methods.
### Deploying with the Elastic Beanstalk console
The Elastic Beanstalk console walks you through creating your new environment inside your VPC. You need to provide a `.war` file (for Java applications) or a `.zip` file (for all other applications). On the **VPC Configuration** page of the Elastic Beanstalk environment wizard, you must make the following selections:
**VPC**
Select your VPC.
**VPC security group**
Select the instance security group you created above.
**ELB visibility**
Select `External` if your load balancer should be publicly available, or select `Internal` if the load balancer should be available only within your VPC.
Select the subnets for your load balancer and EC2 instances. Be sure you select the public subnet for the load balancer, and the private subnet for your Amazon EC2 instances. By default, the VPC creation wizard creates the public subnet in `10.0.0.0/24` and the private subnet in `10.0.1.0/24`.
You can view your subnet IDs by choosing **Subnets** in the [Amazon VPC console](https://console.aws.amazon.com/vpc/).
![\[Subnet IDs for your VPC\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/images/aeb-vpc-subnets.png)
### Deploying with the AWS toolkits, EB CLI, AWS CLI, or API
When deploying your application to Elastic Beanstalk using the AWS toolkits, EB CLI, AWS CLI, or API, you can specify your VPC option settings in a file and deploy it with your source bundle. See [Advanced environment customization with configuration files (`.ebextensions`)](ebextensions.md) for more information.
When you update the option settings, you need to specify at least the following:
+ **VPCId**–Contains the ID of the VPC.
+ **Subnets**–Contains the ID of the Auto Scaling group subnet. In this example, this is the ID of the private subnet.
+ **ELBSubnets**–Contains the ID of the subnet for the load balancer. In this example, this is the ID of the public subnet.
+ **SecurityGroups**–Contains the ID of the security groups.
+ **DBSubnets**–Contains the ID of the DB subnets.
**Note**
When using DB subnets, you need to create additional subnets in your VPC to cover all the Availability Zones in the AWS Region.
Optionally, you can also specify the following information:
+ **ELBScheme** – Specify `internal` to create an internal load balancer inside your VPC so that your Elastic Beanstalk application can't be accessed from outside your VPC.
The following is an example of the option settings you could use when deploying your Elastic Beanstalk application inside a VPC. For more information about VPC option settings (including examples for how to specify them, default values, and valid values), see the **aws:ec2:vpc** namespace table in [Configuration options](command-options.md).
```
option_settings:
- namespace: aws:autoscaling:launchconfiguration
option_name: EC2KeyName
value: ec2keypair
- namespace: aws:ec2:vpc
option_name: VPCId
value: vpc-170647c
- namespace: aws:ec2:vpc
option_name: Subnets
value: subnet-4f195024
- namespace: aws:ec2:vpc
option_name: ELBSubnets
value: subnet-fe064f95
- namespace: aws:ec2:vpc
option_name: DBSubnets
value: subnet-fg148g78
- namespace: aws:autoscaling:launchconfiguration
option_name: InstanceType
value: m1.small
- namespace: aws:autoscaling:launchconfiguration
option_name: SecurityGroups
value: sg-7f1ef110
```
**Note**
When using DB subnets, be sure you have subnets in your VPC to cover all the Availability Zones in the AWS Region.
# Using Elastic Beanstalk with VPC endpoints
This topic explains the benefits that a VPC endpoint can offer your Elastic Beanstalk application. It also provides instructions to create an interface VPC endpoint to an Elastic Beanstalk service.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink, without requiring an internet gateway, NAT device, VPN connection, or Direct Connect connection.
Instances in your VPC don't require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service doesn't leave the Amazon network. For complete information about VPC endpoints, see [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) in the *Amazon VPC User Guide*.
AWS Elastic Beanstalk supports AWS PrivateLink, which provides private connectivity to the Elastic Beanstalk service and eliminates exposure of traffic to the public internet. To enable your application to send requests to Elastic Beanstalk using AWS PrivateLink, you configure a type of VPC endpoint known as an *interface VPC endpoint* (interface endpoint). For more information, see [Interface VPC Endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html) in the *Amazon VPC User Guide*.
**Note**
Elastic Beanstalk supports AWS PrivateLink and interface VPC endpoints in a limited number of AWS Regions. We're working to extend support to more AWS Regions in the near future.
## IPv6 support with dual-stack configuration
Elastic Beanstalk supports incoming traffic over IPv4 and IPv6. This section describes the public endpoints that support both IPv4 and IPv6 and also explains how to configure your Elastic Beanstalk VPC endpoints to support dual-stack traffic.
**Public endpoints**
The Elastic Beanstalk service has two sets of endpoints that consists of the older IPv4 endpoints and the more recent endpoints with dual-stack capability. Both sets of endpoints follow AWS naming standards:
+ **IPv4 **endpoints use the domain `amazonaws.com` – format for general service endpoint: `elasticbeanstalk.region.amazonaws.com`
+ **Dual-stack** endpoints use the domain `api.aws` – format for general service endpoint:: `elasticbeanstalk.region.api.aws`
The endpoints for *service health* and *FIPS* have different host names, but they follow the same domain name pattern. For a list of endpoints see [Elastic Beanstalk service endpoints](https://docs.aws.amazon.com//general/latest/gr/elasticbeanstalk.html#elasticbeanstalk_region) in the *Amazon Web Services General Reference*.
**Requests to Elastic Beanstalk**
When you send requests to the Elastic Beanstalk service with the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk) or the [AWS SDK](https://aws.amazon.com//developer/tools/) you can specify an IPv4 endpoint or a dual-stack endpoint. The AWS CLI and AWS SDK use the IPv4-only endpoints by default if an endpoint URL isn't specified.
The following example demonstrates the AWS CLI sending a request to a dual-stack endpoint:
**Example**
```
aws elasticbeanstalk list-available-solution-stacks \
--endpoint-url "https://elasticbeanstalk.us-east-1.api.aws"
```
The following example demonstrates the AWS Python SDK sending a request to a dual-stack endpoint:
**Example**
```
import boto3
dual_stack_eb_client = boto3.client(
service_name='elasticbeanstalk',
region_name='us-east-1',
endpoint_url='https://elasticbeanstalk.us-east-1.api.aws';
)
print(dual_stack_eb_client.list_available_solution_stacks())
```
**VPC endpoints for dual-stack IPs**
To configure your Elastic Beanstalk VPC endpoints to support dual-stack traffic, specify **dualstack** for the **IP address type** parameter of the VPC endpoint. You can specify this field via the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/elasticbeanstalk), the [AWS SDK](https://aws.amazon.com//developer/tools/), or the AWS PrivateLink console. For instructions to do so in the AWS PrivateLink console, see [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *AWS PrivateLink Guide*.
**Note**
You must specify the **IP address type** of the VPC endpoint as either **IPv4** or **dualstack**. At this time Elastic Beanstalk VPC endpoints don't support an **IP address type** of **IPv6**, which would indicate IPv6-only support. The **dualstack** option allows for both the IPv4 and IPv6 internet protocols.
The following example demonstrates how to create a dual-stack VPC endpoint with the AWS CLI:
**Example**
```
aws ec2 create-vpc-endpoint \
--vpc-id "vpc-example"
--service-name "com.amazonaws.us-east-1.elasticbeanstalk"
--ip-address-type "dualstack"
```
## Setting up a VPC endpoint for Elastic Beanstalk
To create the interface VPC endpoint for the Elastic Beanstalk service in your VPC, follow the [Creating an Interface Endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) procedure.
+ For **Service Name**, choose **com.amazonaws.*region*.elasticbeanstalk**.
+ For **IP address type**, choose either **IPv4** or **Dualstack**. At this time Elastic Beanstalk VPC endpoints don't support an **IP address type** of **IPv6**, which would indicate IPv6-only support. The **Dualstack** option allows for both the IPv4 and IPv6 internet protocols.
If your VPC is configured with public internet access, your application can still access Elastic Beanstalk over the internet using either the `elasticbeanstalk.region.amazonaws.com` or the `elasticbeanstalk.region.api.aws` public endpoint. You can prevent this by ensuring that **Enable DNS name** is enabled during endpoint creation (true by default). This adds a DNS entry in your VPC that maps the public service endpoint to the interface VPC endpoint.
## Setting up a VPC endpoint for enhanced health
If you enabled [enhanced health reporting](health-enhanced.md) for your environment, you can configure enhanced health information to be sent over AWS PrivateLink too. Enhanced health information is sent by the `healthd` daemon, an Elastic Beanstalk component on your environment instances, to a separate Elastic Beanstalk enhanced health service. To create an interface VPC endpoint for this service in your VPC, follow the [Creating an Interface Endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) procedure.
+ For **Service Name**, choose **com.amazonaws.*region*.elasticbeanstalk-health**.
+ For **IP address type**, choose either **IPv4** or **Dualstack**. At this time Elastic Beanstalk VPC endpoints don't support an **IP address type** of **IPv6**, which would indicate IPv6-only support. The **Dualstack** option allows for both the IPv4 and IPv6 internet protocols.
**Important**
The `healthd` daemon sends enhanced health information to the public endpoint `elasticbeanstalk-health.region.amazonaws.com` or `elasticbeanstalk-health.region.api.aws`. If your VPC is configured with public internet access, and **Enable DNS name** is disabled for the VPC endpoint, enhanced health information travels through the public internet. This is probably not your intention when you set up an enhanced health VPC endpoint. Ensure that **Enable DNS name** is enabled (true by default).
## Using VPC endpoints in a private VPC
A private VPC, or a private subnet in a VPC, has no public internet access. You might want to run your Elastic Beanstalk environment in a [private VPC](vpc.md#services-vpc-private) and configure interface VPC endpoints for enhanced security. In this case, be aware that your environment might try to connect to the internet for other reasons in addition to contacting the Elastic Beanstalk service. To learn more about running an environment in a private VPC, see [Running an Elastic Beanstalk environment in a private VPC](vpc.md#services-vpc-private-beanstalk).
# Using endpoint policies to control access with VPC endpoints
This topic explains how you can attach a policy to VPC endpoints to controls access to your application (your service) and your Elastic Beanstalk environment.
An endpoint policy is an AWS Identity and Access Management (IAM) resource policy that controls access from the endpoint to the specified service. The endpoint policy is specific to the endpoint. It's separate from any user or instance IAM policies that your environment might have and doesn't override or replace them.
By default, a VPC endpoint allows full access to the service with which it's associated. When you create or modify an endpoint, you can attach an *endpoint policy* to it to control access to specific resources associated with the service. For details about authoring and using VPC endpoint policies, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*.
**Note**
When you create restrictive endpoint policies you may need to add specific permissions to required resources, so that access to these resources isn't blocked by the endpoint policy. Doing so ensures that your environment continues to deploy and function properly.
The following example denies all users the permission to terminate an environment through the VPC endpoint, and allows full access to all other actions.
```
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
},
{
"Action": "elasticbeanstalk:TerminateEnvironment",
"Effect": "Deny",
"Resource": "*",
"Principal": "*"
}
]
}
```
## Required Amazon S3 bucket permissions for restrictive VPC endpoint policies
If you add restrictions to your VPC endpoint policies, you must include specific Amazon S3 bucket permissions to ensure that your environment continues to deploy and function properly. This section explains the required S3 buckets and includes example policies.
**Topics**
+ [S3 Buckets that store assets to manage environment platforms](#AWSHowTo.S3.VPCendpoints.required-permissions.assets)
+ [S3 Buckets owned by CloudFormation](#AWSHowTo.S3.VPCendpoints.required-permissions.cloudformation)
+ [S3 Buckets owned by customer accounts to store source code and other items](#AWSHowTo.S3.VPCendpoints.required-permissions.items)
+ [S3 Buckets owned by customer accounts to support Docker registry authentication](#AWSHowTo.S3.VPCendpoints.required-permissions.docker-auth)
+ [Updating your VPC endpoint policy](#AWSHowTo.S3.VPCendpoints.required-permissions.assets.permissions)
### S3 Buckets that store assets to manage environment platforms
The Elastic Beanstalk service owns S3 buckets that store the assets associated with a solution stack (platform version). These assets include configuration files, the sample application, and available instance types. When Elastic Beanstalk creates and manages your environment it retrieves the required information for the specific platform version from the asset bucket for each corresponding AWS Region.
#### S3 Bucket ARN
`arn:aws:s3:::elasticbeanstalk-samples-region`
Amazon Linux 2 and later
+ `arn:aws:s3:::elasticbeanstalk-platform-assets-region`
**Note**
The bucket name follows a different convention for the *BJS *region. The string *public-beta-cn-north-1* is used in place of *region*. For example, `arn:aws:s3:::elasticbeanstalk-platform-assets-public-beta-cn-north-1`.
Windows Server, Amazon Linux (AMI), Amazon Linux 2 and later
+ `arn:aws:s3:::elasticbeanstalk-env-resources-region`
+ `arn:aws:s3:::elasticbeanstalk-region`
**Note**
The bucket names for platform-assets and env-resources buckets follow different conventions in some regions. See the region-specific bucket naming patterns section below for details.
##### Region-specific bucket ARN patterns
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.policy.html)
#### Operations
GetObject
#### VPC endpoint policy example
The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2). The example lists all of the buckets for both Amazon Linux and Windows Server platforms. Update your policy to only include the buckets that apply to the operating system of your environment.
##### Example policy
**Important**
We recommend that you avoid using wildcard characters (\$1) in place of specific Regions in this policy. For example, use `arn:aws:s3:::cloudformation-waitcondition-us-east-2/*` and don't use `arn:aws:s3:::cloudformation-waitcondition-*/*`. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first `Statement` block for each Region.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsToAWSResources",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:GetObject"],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-platform-assets-us-east-2/*",
"arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
"arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
"arn:aws:s3:::elasticbeanstalk-samples-us-east-2/*"
]
}
]
}
```
------
### S3 Buckets owned by CloudFormation
Elastic Beanstalk uses CloudFormation to create resources for your environment. CloudFormation owns S3 buckets in each AWS Region to monitor responses to wait conditions.
Services like Elastic Beanstalk communicate with CloudFormation by sending requests to a presigned Amazon S3 URL for the S3 bucket that CloudFormation owns. CloudFormation creates the presigned Amazon S3 URL using the `cloudformation.amazonaws.com` service principal.
For more detailed information, see [Considerations for CloudFormation VPC endpoints](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-vpce-bucketnames.html#cfn-setting-up-vpc-considerations) in the *AWS CloudFormation User Guide*. To learn more about presigned URLs, see [Working with presigned URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html) in the *Amazon S3 User Guide*.
#### S3 Bucket ARN
+ `arn:aws:s3:::cloudformation-waitcondition-region`
When using wait conditions, region names do contain dashes. For example, *us-west-2*.
+ `arn:aws:s3:::cloudformation-custom-resource-response-region`
When using custom resources, region names don't contain dashes. For example, *uswest2*.
#### Operations
GetObject
#### VPC endpoint policy example
The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2).
##### Example policy
**Important**
We recommend that you avoid using wildcard characters (\$1) in place of specific Regions in this policy. For example, use `arn:aws:s3:::cloudformation-waitcondition-us-east-2/*` and don't use `arn:aws:s3:::cloudformation-waitcondition-*/*`. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first `Statement` block for each Region.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsToCloudFormation",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:GetObject"],
"Resource": [
"arn:aws:s3:::cloudformation-waitcondition-us-east-2/*",
"arn:aws:s3:::cloudformation-custom-resource-response-us-east-2/*"
]
}
]
}
```
------
### S3 Buckets owned by customer accounts to store source code and other items
This bucket is owned by the AWS customer account that owns the environment. It stores resources that are specific to your environment, such as source code and requested logs.
#### S3 Bucket ARN
`arn:aws:s3:::elasticbeanstalk-region-account-id`
#### Operations
+ GetObject
+ GetObjectAcl
+ PutObject
+ PutObjectAcl
+ ListBucket
#### VPC endpoint policy example
The following example illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2) and for the example AWS account id 123456789012.
##### Example policy
**Important**
We recommend that you avoid using wildcard characters (\$1) in place of specific Regions in this policy. For example, use `arn:aws:s3:::cloudformation-waitcondition-us-east-2/*` and don't use `arn:aws:s3:::cloudformation-waitcondition-*/*`. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first `Statement` block for each Region.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsToCustomerItems",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-123456789012/*"
]
}
]
}
```
------
### S3 Buckets owned by customer accounts to support Docker registry authentication
This bucket only applies to environments based on the Docker platform. The bucket stores a file used to authenticate to a private Docker registry that resides on an S3 bucket provisioned by the customer. For more information, see [Using the `Dockerrun.aws.json` v3 file](docker-configuration.remote-repo.md#docker-configuration.remote-repo.dockerrun-aws) in the Docker platform chapter of this guide.
#### S3 Bucket ARN
The ARN varies by customer account.
The S3 bucket ARN has the following format: `arn:aws:s3:::bucket-name`
#### Operations
GetObject
#### VPC endpoint policy example
The following example illustrates how to provide access to an S3 bucket with the name amzn-s3-demo-bucket1.
##### Example policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsToDockerRegistryAuth",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
}
]
}
```
------
### Updating your VPC endpoint policy
Because a VPC endpoint has only one policy attached, you must combine all of the permissions into the one policy. The following example provides all of the previous examples combined into one.
For details about authoring and using VPC endpoint policies, see [Control access to VPC endpoints using endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the *AWS PrivateLink Guide*.
Like the previous examples, the following one illustrates how to provide access to the S3 buckets required for Elastic Beanstalk operations in the US East (Ohio) Region (us-east-2). It also includes buckets with example AWS account id 123456789012 and example bucket name amzn-s3-demo-bucket1.
**Important**
We recommend that you avoid using wildcard characters (\$1) in place of specific Regions in this policy. For example, use `arn:aws:s3:::cloudformation-waitcondition-us-east-2/*` and don't use `arn:aws:s3:::cloudformation-waitcondition-*/*`. Using wildcards could provide access to S3 buckets that you don’t intend to grant access to. If you want to use the policy for more than one Region, we recommend repeating the first `Statement` block for each Region.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRequestsToAWSResources",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-platform-assets-us-east-2/*",
"arn:aws:s3:::elasticbeanstalk-env-resources-us-east-2/*",
"arn:aws:s3:::elasticbeanstalk-samples-us-east-2/*"
]
},
{
"Sid": "AllowRequestsToCloudFormation",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cloudformation-waitcondition-us-east-2/*",
"arn:aws:s3:::cloudformation-custom-resource-response-us-east-2/*"
]
},
{
"Sid": "AllowRequestsToCustomerItems",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-123456789012/*"
]
},
{
"Sid": "AllowRequestsToDockerRegistryAuth",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
}
]
}
```
------