# Configure Managed Service for Apache Flink to access resources in an Amazon VPC
You can configure a Managed Service for Apache Flink application to connect to private subnets in a virtual private cloud (VPC) in your account. Use Amazon Virtual Private Cloud (Amazon VPC) to create a private network for resources such as databases, cache instances, or internal services. Connect your application to the VPC to access private resources during execution.
**Topics**
+ [Amazon VPC concepts](#vpc-concepts)
+ [VPC application permissions](vpc-permissions.md)
+ [Internet and service access for a VPC-connected Managed Service for Apache Flink application](vpc-internet.md)
+ [Use the Managed Service for Apache Flink VPC API](vpc-api.md)
+ [Example: Use a VPC to access data in an Amazon MSK cluster](vpc-example.md)
## Amazon VPC concepts
Amazon VPC is the networking layer for Amazon EC2. If you're new to Amazon EC2, see [What is Amazon EC2?](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html) in the *Amazon EC2 User Guide for Linux Instances* to get a brief overview.
The following are the key concepts for VPCs:
+ A *virtual private cloud* (VPC) is a virtual network dedicated to your AWS account.
+ A *subnet* is a range of IP addresses in your VPC.
+ A *route table* contains a set of rules, called routes, that are used to determine where network traffic is directed.
+ An *internet gateway* is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
+ A *VPC endpoint* enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
For more information about the Amazon VPC service, see the [Amazon Virtual Private Cloud User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).
Managed Service for Apache Flink creates [ elastic network interfaces](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html) in one of the subnets provided in your VPC configuration for the application. The number of elastic network interfaces created in your VPC subnets may vary, depending on the parallelism and parallelism per KPU of the application. For more information about application scaling, see [Implement application scaling](how-scaling.md).
**Note**
VPC configurations are not supported for SQL applications.
**Note**
The Managed Service for Apache Flink service manages the checkpoint and snapshot state for applications that have a VPC configuration.
# VPC application permissions
This section describes the permission policies your application will need to work with your VPC. For more information about using permissions policies, see [Identity and Access Management for Amazon Managed Service for Apache Flink](security-iam.md).
The following permissions policy grants your application the necessary permissions to interact with a VPC. To use this permission policy, add it to your application's execution role.
## Add a permissions policy for accessing an Amazon VPC
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VPCReadOnlyPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeDhcpOptions"
],
"Resource": "*"
},
{
"Sid": "ENIReadWritePermissions",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
}
```
------
**Note**
When you specify application resources using the console (such as CloudWatch Logs or an Amazon VPC), the console modifies your application execution role to grant permission to access those resources. You only need to manually modify your application's execution role if you create your application without using the console.
# Internet and service access for a VPC-connected Managed Service for Apache Flink application
By default, when you connect a Managed Service for Apache Flink application to a VPC in your account, it does not have access to the internet unless the VPC provides access. If the application needs internet access, the following need to be true:
+ The Managed Service for Apache Flink application should only be configured with private subnets.
+ The VPC must contain a NAT gateway or instance in a public subnet.
+ A route must exist for outbound traffic from the private subnets to the NAT gateway in a public subnet.
**Note**
Several services offer [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html). You can use VPC endpoints to connect to Amazon services from within a VPC without internet access.
Whether a subnet is public or private depends on its route table. Every route table has a default route, which determines the next hop for packets that have a public destination.
+ **For a Private subnet:** The default route points to a NAT gateway (nat-...) or NAT instance (eni-...).
+ **For a Public subnet:** The default route points to an internet gateway (igw-...).
Once you configure your VPC with a public subnet (with a NAT) and one or more private subnets, do the following to identify your private and public subnets:
+ In the VPC console, from the navigation pane, choose **Subnets**.
+ Select a subnet, and then choose the **Route Table** tab. Verify the default route:
+ **Public subnet:** Destination: 0.0.0.0/0, Target: igw-…
+ **Private subnet:** Destination: 0.0.0.0/0, Target: nat-… or eni-…
To associate the Managed Service for Apache Flink application with private subnets:
+ Sign in to the AWS Management Console, and open the Amazon MSF console at https://console.aws.amazon.com/flink.
+ On the **Managed Service for Apache Flink applications** page, choose your application, and choose **Application details**.
+ On the page for your application, choose **Configure**.
+ In the **VPC Connectivity** section, choose the VPC to associate with your application. Choose the subnets and security group associated with your VPC that you want the application to use to access VPC resources.
+ Choose **Update**.
## Related information
[Creating a VPC with Public and Private Subnets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html)
[NAT gateway basics](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-basics)
# Use the Managed Service for Apache Flink VPC API
Use the following Managed Service for Apache Flink API operations to manage VPCs for your application. For information on using the Managed Service for Apache Flink API, see [Managed Service for Apache Flink API example code](api-examples.md).
## Create application
Use the [CreateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_CreateApplication.html) action to add a VPC configuration to your application during creation.
The following example request code for the `CreateApplication` action includes a VPC configuration when the application is created:
```
{
"ApplicationName":"MyApplication",
"ApplicationDescription":"My-Application-Description",
"RuntimeEnvironment":"FLINK-1_15",
"ServiceExecutionRole":"arn:aws:iam::123456789123:role/myrole",
"ApplicationConfiguration": {
"ApplicationCodeConfiguration":{
"CodeContent":{
"S3ContentLocation":{
"BucketARN":"arn:aws:s3:::amzn-s3-demo-bucket",
"FileKey":"myflink.jar",
"ObjectVersion":"AbCdEfGhIjKlMnOpQrStUvWxYz12345"
}
},
"CodeContentType":"ZIPFILE"
},
"FlinkApplicationConfiguration":{
"ParallelismConfiguration":{
"ConfigurationType":"CUSTOM",
"Parallelism":2,
"ParallelismPerKPU":1,
"AutoScalingEnabled":true
}
},
"VpcConfigurations": [
{
"SecurityGroupIds": [ "sg-0123456789abcdef0" ],
"SubnetIds": [ "subnet-0123456789abcdef0" ]
}
]
}
}
```
## AddApplicationVpcConfiguration
Use the [AddApplicationVpcConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_AddApplicationVpcConfiguration.html) action to add a VPC configuration to your application after it has been created.
The following example request code for the `AddApplicationVpcConfiguration` action adds a VPC configuration to an existing application:
```
{
"ApplicationName": "MyApplication",
"CurrentApplicationVersionId": 9,
"VpcConfiguration": {
"SecurityGroupIds": [ "sg-0123456789abcdef0" ],
"SubnetIds": [ "subnet-0123456789abcdef0" ]
}
}
```
## DeleteApplicationVpcConfiguration
Use the [DeleteApplicationVpcConfiguration](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_DeleteApplicationVpcConfiguration.html) action to remove a VPC configuration from your application.
The following example request code for the `AddApplicationVpcConfiguration` action removes an existing VPC configuration from an application:
```
{
"ApplicationName": "MyApplication",
"CurrentApplicationVersionId": 9,
"VpcConfigurationId": "1.1"
}
```
## Update application
Use the [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html) action to update all of an application's VPC configurations at once.
The following example request code for the `UpdateApplication` action updates all of the VPC configurations for an application:
```
{
"ApplicationConfigurationUpdate": {
"VpcConfigurationUpdates": [
{
"SecurityGroupIdUpdates": [ "sg-0123456789abcdef0" ],
"SubnetIdUpdates": [ "subnet-0123456789abcdef0" ],
"VpcConfigurationId": "2.1"
}
]
},
"ApplicationName": "MyApplication",
"CurrentApplicationVersionId": 9
}
```
# Example: Use a VPC to access data in an Amazon MSK cluster
For a complete tutorial about how to access data from an Amazon MSK Cluster in a VPC, see [MSK Replication](earlier.md#example-msk).