# VPC resources in Amazon VPC Lattice
You can share VPC resources with other teams in your organization or with external independent software vendor (ISV) partners. A VPC resource can be an AWS-native resource such as an Amazon RDS database, a domain name, or an IP address. The resource can be in your VPC or on-premises network and does not need to be load-balanced. You use AWS RAM to specify the principals who can access the resource. You create a resource gateway through which your resource can be accessed. You also create a resource configuration that represents the resource or a group of resources that you want to share.
The principals that you share the resource with can access these resources privately using VPC endpoints. They can use a resource VPC endpoint to access one resource or pool multiple resources in an VPC Lattice service network, and access the service network using a service-network VPC endpoint.
The following sections explain how to create and manage VPC resources in VPC Lattice:
**Topics**
+ [Resource gateways](resource-gateway.md)
+ [Resource configurations](resource-configuration.md)
# Resource gateways in VPC Lattice
A *resource gateway* is the point that receives traffic into the VPC where a resource resides. It spans multiple Availability Zones.
A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts. Every resource you share is associated with a resource gateway. When clients in other VPCs or accounts access a resource in your VPC, the resource sees traffic coming locally from the resource gateway in that VPC. The source IP address of the traffic is the IP address of the resource gateway in an Availability Zone. Multiple resource configurations, each having multiple resources, can be attached to a resource gateway.
The following diagram shows how a client accesses a resource through the resource gateway:
![\[Client accessing resource through the resource gateway.\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/images/resource-gateway-to-resource.png)
**Topics**
+ [
## Considerations
](#resource-gateway-considerations)
+ [
## Security groups
](#resource-gateway-security-groups)
+ [
## IP address types
](#resource-gateway-ip-address-type)
+ [
## IPv4 addresses per ENI
](#ipv4-address-type-per-eni)
+ [Create a resource gateway](create-resource-gateway.md)
+ [Delete a resource gateway](delete-resource-gateway.md)
## Considerations
The following considerations apply to resource gateways:
+ For your resource to be accessible from all [Availability Zones](https://aws.amazon.com/about-aws/global-infrastructure/regions_az/), you should create your resource gateways to span as many Availability Zones as possible.
+ At least one Availability Zone of the VPC endpoint and the resource gateway have to overlap.
+ A VPC can have a maximum of 100 resource gateways. For more information, see [Quotas for VPC Lattice](https://docs.aws.amazon.com/vpc-lattice/latest/ug/quotas.html).
+ VPC Lattice might add new ENIs to your resource gateway.
+ Resource gateways with shared VPC subnets:
+ A resource gateway can only be deployed into a shared VPC subnet by the account that owns the VPC.
+ A resource configuration for a resource gateway can only be created by the account that owns the resource gateway.
## Security groups
You can attach security groups to a resource gateway. Security group rules for resource gateways control outbound traffic from the resource gateway to resources.
** Recommended outbound rules for traffic flowing from a resource gateway to a database resource**
For traffic to flow from a resource gateway to a resource, you must create outbound rules for the resource's accepted listener protocols and port ranges.
| Destination | Protocol | Port range | Comment |
| --- | --- | --- | --- |
| CIDR range for resource | TCP | 3306 | Allows traffic from resource gateway to databases. |
## IP address types
A resource gateway can have IPv4, IPv6 or dual-stack addresses. The IP address type of a resource gateway must be compatible with the subnets of the resource gateway and the IP address type of the resource, as described here:
+ **IPv4** – Assign IPv4 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets have IPv4 address ranges, and the resource also has an IPv4 address. When you use this option, you can configure the number of IPv4 addresses per resource gateway ENI.
+ **IPv6** – Assign IPv6 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets are IPv6 only subnets, and the resource also has an IPv6 address. When you use this option, IPv6 addresses are assigned automatically and don’t need to be managed.
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to your resource gateway network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges, and the resource either has an IPv4 or IPv6 address. When you use this option, you can configure the number of IPv4 addresses per resource gateway ENI.
The IP address type of the resource gateway is independent of the IP address type of the client or the VPC endpoint through which the resource is accessed.
## IPv4 addresses per ENI
If your resource gateway has an IPv4 or a dual-stack IP address type, you can configure the number of IPv4 addresses assigned to each ENI of your resource gateway. When you create a resource gateway, you choose from 1 to 62 IPv4 addresses. Once you set the number of IPv4 addresses, the value can't be changed.
The IPv4 addresses are used for network address translation and determine the maximum number of concurrent IPv4 connections to a resource. Each IPv4 address can support up to 55,000 simultaneous connections per destination IP. By default, all resource gateways are assigned 16 IPv4 addresses per ENI.
If your resource gateway uses the IPv6 address type, the resource gateway automatically receives a /80 CIDR per ENI. This value can't be changed. The maximum transmission unit (MTU) per connection is 8500 bytes.
# Create a resource gateway in VPC Lattice
Use the console to create a resource gateway.
**To create a resource gateway using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource gateways**.
1. Choose **Create resource gateway**.
1. For **Resource gateway name**, enter a name that is unique within your AWS account.
1. For **IP address type**, choose the IP address type for the resource gateway.
1. If you selected **IPv4** or **Dualstack** for the **IP address type**, you can enter the number of IPv4 addresses per ENI for your resource gateway.
The default is 16 IPv4 addresses per ENI. This is a suitable number of IPs to form connections with your backend resources.
1. For **VPC**, choose the VPC and subnets to create your resource gateway in.
1. For **Security groups**, choose up to five security groups to control inbound traffic from the VPC to the service network.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create resource gateway**.
**To create a resource gateway using the AWS CLI**
Use the [create-resource-gateway](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-resource-gateway.html) command.
# Delete a resource gateway in VPC Lattice
Use the console to delete a resource gateway.
**To delete a resource gateway using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource gateways**.
1. Select the check box for the resource gateway that you want to delete and choose **Actions**, **Delete**. When prompted for confirmation, enter **confirm** and then choose **Delete**.
**To delete a resource gateway using the AWS CLI**
Use the [delete-resource-gateway](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-resource-gateway.html) command.
# Resource configurations for VPC resources
A resource configuration represents a resource or a group of resources that you want to make accessible to clients in other VPCs and accounts. By defining a resource configuration, you can allow private, secure, unidirectional network connectivity to resources in your VPC from clients in other VPCs and accounts. A resource configuration is associated with a resource gateway through which it receives traffic. For a resource to be accessed from another VPC, it needs to have a resource configuration.
**Topics**
+ [
## Types of resource configurations
](#resource-configuration-types)
+ [
## Protocol
](#resource-configuration-protocol)
+ [
## Resource gateway
](#resource-gateway)
+ [
## Custom domain names for resource providers
](#custom-domain-name-resource-providers)
+ [
## Custom domain names for resource consumers
](#custom-domain-name-resource-consumers)
+ [
## Custom domain names for service network owners
](#resource-configuration-custom-domain-name-service-network-owners)
+ [
## Resource definition
](#resource-definition)
+ [
## Port ranges
](#resource-configuration-port)
+ [
## Accessing resources
](#resource-configuration-accessing)
+ [
## Association with service network type
](#resource-configuration-service-network-association)
+ [
## Types of service networks
](#service-network-types)
+ [
## Sharing resource configurations through AWS RAM
](#sharing-resource-configuration-ram)
+ [
## Monitoring
](#resource-configuration-monitoring)
+ [
# Create and verify a domain
](create-and-verify.md)
+ [Create a resource configuration](create-resource-configuration.md)
+ [Manage associations](resource-configuration-associations.md)
## Types of resource configurations
A resource configuration can be of several types. The different types help represent different kinds of resources. The types are:
+ **Single resource configuration**: Represents an IP address or a domain name. It can be shared independently.
+ **Group resource configuration**: It is collection of child resource configurations. It can be used to represent a group of DNS and IP address endpoints.
+ **Child resource configuration**: It is a member of a group resource configuration. It represents an IP address or a domain name. It can’t be shared independently; it can only be shared as part of a group. It can be added and removed from a group. When added, its automatically accessible to those who can access the group.
+ **ARN resource configuration**: Represents a supported resource-type that is provisioned by an AWS service. Any group-child relationship is automatically taken care of.
The following image shows a single, child, and group resource configuration:
![\[Single, child, and group resource configurations.\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/images/resource-config-types.png)
## Protocol
When you create a resource configuration you can define the protocols that the resource will support. Currently, only the TCP protocol is supported.
## Resource gateway
A resource configuration is associated with a resource gateway. A resource gateway is a set of ENIs that serve as a point of ingress into the VPC in which the resource is in. Multiple resource configurations can be associated with the same resource gateway. When clients in other VPCs or accounts access a resource in your VPC, the resource sees traffic coming locally from the resource gateway's IP addresses in that VPC.
## Custom domain names for resource providers
Resource providers can attach a custom domain name to a resource configuration, such as `example.com`, which resource consumers can use to access the resource configuration. The custom domain name can be owned and verified by the resource provider, or it can be a third-party or AWS domain. Resource providers can use resource configurations to share cache clusters and Kafka clusters, TLS-based applications, or other AWS resources.
The following considerations apply to providers of resource configurations:
+ A resource configuration can only have one custom domain.
+ The custom domain name of a resource configuration cannot be changed.
+ The custom domain name is visible to all resource configuration consumers.
+ You can verify your custom domain name using the domain name verification process in VPC Lattice. For more information For more information, see [Create and verify a domain](create-and-verify.md).
+ For resource configurations of type group and child, you must first specify a group domain on the group resource configuration. After, the child resource configurations can have custom domains that are subdomains of the group domain. If the group doesn’t have a group domain, you can use any custom domain name for the child, but VPC Lattice will not provision any hosted zones for the child domain names in the resource consumer’s VPC.
## Custom domain names for resource consumers
When resource consumers enable connectivity to a resource configuration that has a custom domain name, they can allow VPC Lattice to manage a Route 53 private hosted zone in their VPC. Resource consumers have granular options for which domains they want to allow VPC Lattice to manage private hosted zones for.
Resource consumers can set the `private-dns-enabled` parameter when enabling connectivity to resource configurations through a resource endpoint, a service network endpoint, or a service network VPC association. Along with the `private-dns-enabled` parameter, consumers can use DNS options to specify which domains that they want VPC Lattice to manage private hosted zones for. Consumers can choose between the following private DNS preferences:
**`ALL_DOMAINS`**
VPC Lattice provisions private hosted zones for all custom domain names.
**`VERIFIED_DOMAINS_ONLY`**
VPC Lattice provisions a private hosted zone only if custom domain name has been verified by the provider.
**`VERIFIED_DOMAINS_AND_SPECIFIED_DOMAINS`**
VPC Lattice provisions private hosted zones for all verified custom domain names and other domain names that the resource consumer specifies. The resource consumer specifies the domain names in the `private DNS specified domains` parameter.
**`SPECIFIED_DOMAINS_ONLY`**
VPC Lattice provisions a private hosted zone for domain names specified by the resource consumer. The resource consumer specifies the domain names in the `private DNS specified domains ` parameter.
When you enable private DNS, VPC Lattice creates a private hosted zone in your VPC for the custom domain name associated with the resource configuration. By default, the private DNS preference is set to `VERIFIED_DOMAINS_ONLY`. This means that private hosted zones are created only if the custom domain name has been verified by the resource provider. If you set your private DNS preference to `ALL_DOMAINS` or `SPECIFIED_DOMAINS_ONLY` then VPC Lattice creates private hosted zones regardless of the verification status of the custom domain name. When a private hosted zone is created for a given domain, all traffic to that domain from your VPC is routed through VPC Lattice. We recommend that you use the `ALL_DOMAINS`, `VERIFIED_DOMAINS_AND_SPECIFIED_DOMAINS`, or `SPECIFIED_DOMAINS_ONLY` preferences only when you want traffic to these custom domain names to go through VPC Lattice.
We recommend that resource consumers set their private DNS preference to `VERIFIED_DOMAINS_ONLY`. This lets consumers tighten their security perimeter by only allowing VPC Lattice to provision private hosted zones for verified domains in the resource consumer's account.
To select domains in the private DNS specified domains, resource consumers can enter a fully qualified domain name, such as `my.example.com` or use a wildcard such as `*.example.com`.
The following considerations apply to consumers of resource configurations:
+ The private DNS enabled parameter cannot be changed.
+ Private DNS should be enabled on a service network resource association for private hosted to be created in a VPC. For a resource configuration, the private DNS enabled status of the service network resource association overrides the private DNS enabled status of either the service network endpoint or service network VPC association.
## Custom domain names for service network owners
The private DNS enabled property of the service network resource association overrides the private DNS enabled property of the service network endpoint and the service network VPC association.
If a service network owner creates a service network resource association and doesn't enable private DNS, VPC Lattice won’t provision private hosted zones for that resource configuration in any VPCs that the service network is connected to, even though private DNS is enabled on the service network endpoint or service network VPC associations.
For resource configurations of type ARN the private DNS flag is true and immutable.
## Resource definition
In the resource configuration, identify the resource in one of the following ways:
+ By an **Amazon Resource Name (ARN)**: Supported resource-types that are provisioned by AWS services, can be identified by their ARN. Only Amazon RDS databases are supported. You can't create a resource configuration for a publicly accessible cluster.
+ By a **domain-name target**: You can use any domain name that is publicly resolvable. If your domain name points to an IP that's outside of your VPC, you must have a NAT gateway in your VPC.
+ By an **IP-address**: For IPv4, specify a private IP from the following ranges: 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16. For IPv6, specify an IP from the VPC. Public IPs aren't supported.
## Port ranges
When you create a resource configuration you can define the ports it will accept requests on. Client access on other ports will not be allowed.
## Accessing resources
Consumers can access resource configurations directly from their VPC using a VPC endpoint or through a service network. As a consumer, you can enable access from your VPC to a resource configuration that is in your account or that has been shared with you from another account through AWS RAM.
+ * Accessing a resource configuration directly*
You can create a AWS PrivateLink VPC endpoint of type resource (resource endpoint) in your VPC to access a resource configuration privately from your VPC. For more information on how to create a resource endpoint, see [Accessing VPC resources](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-resources.html) in the *AWS PrivateLinkuser guide*.
+ *Accessing a resource configuration through a service network*
You can associate a resource configuration to a service network, and connect your VPC to the service network. You can connect your VPC to the service network either through an association or using a AWS PrivateLink service-network VPC endpoint.
For more information on service network associations, see [Manage the associations for a VPC Lattice service network](https://docs.aws.amazon.com/vpc-lattice/latest/ug/service-network-associations.html).
For more information on service network VPC endpoints, see [Access service networks](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-service-networks.html) in the *AWS PrivateLink user guide*.
When private DNS is enabled for your VPC, you can’t create a resource endpoint and service network endpoint for the same resource configuration.
## Association with service network type
When you share a resource configuration with a consumer account, for example, Account-B, through AWS RAM, Account-B can access the resource configuration either directly through a resource VPC endpoint, or through a service network.
To access a resource configuration through a service network, Account-B would have to associate the resource configuration with a service network. Service networks are shareable between accounts. So, Account-B can share their service network (that the resource configuration is associated to) with Account-C, making your resource accessible from Account-C.
In order to prevent such transitive sharing, you can specify that your resource configuration cannot be added to service networks that are shareable between accounts. If you specify this, then Account-B won’t be able to add your resource configuration to service networks that are shared or can be shared with another account in the future.
## Types of service networks
When you share a resource configuration with another account, for example Account-B, through AWS RAM, Account-B can access the resources specified in the resource configuration in one of three ways:
+ Using a VPC endpoint of type *resource* (resource VPC endpoint).
+ Using a VPC endpoint of type *service network* (service network VPC endpoint).
+ Using a service network VPC association.
When you use a service-network association, each resource is assigned an IP per subnet from the 129.224.0.0/17 block, which is AWS owned and non-routable. This is in addition to the [managed prefix list](security-groups.md#managed-prefix-list) that VPC Lattice uses to route traffic to services over the VPC Lattice network. Both of these IPs are updated to your VPC route table.
For service network VPC endpoint and service network VPC association, the resource configuration would have to be associated with a service network in Account-B. Service networks are shareable between accounts. So, Account-B can share their service network (that contains the resource configuration) with Account-C, making your resource accessible from Account-C. In order to prevent such transitive sharing, you can disallow your resource configuration from being added to service networks that are shareable between accounts. If you disallow this, then Account-B won’t be able to add your resource configuration to a service network that is shared or can be shared with another account.
## Sharing resource configurations through AWS RAM
Resource configurations are integrated with AWS Resource Access Manager. You can share your resource configuration with another account through AWS RAM. When you share a resource configuration with an AWS account, clients in that account can privately access the resource. You can share a resource configuration using a [resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html) in AWS RAM.
Use the AWS RAM console, to view the resource shares to which you have been added, the shared resources that you can access, and the AWS accounts that have shared resources with you. For more information, see [Resources shared with you ](https://docs.aws.amazon.com/ram/latest/userguide/working-with-shared.html) in the *AWS RAM User Guide*.
To access a resource from another VPC in the same account as the resource configuration, you don’t need to share the resource configuration through AWS RAM.
## Monitoring
You can enable monitoring logs on your resource configuration. You can choose a destination to send the logs to.
# Create and verify a domain
A domain name verification is an entity that allows you to prove your ownership of a given domain. As a resource provider you can use the domain and it’s subdomains as custom domain names for your resource configurations. Resource consumers can see the verification status of your custom domain name when they describe the resource configuration.
## Start the domain verification
You start the domain name verification using VPC Lattice, and then you use your DNS zone to complete the process.
------
#### [ AWS Management Console ]
**To start the domain name verification**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **PrivateLink and Lattice**, choose **Domain verifications**
1. Choose **Start domain verification**.
1. For **Domain name**, enter a domain name that you own.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Start domain name verification**.
After the successful start of your domain name verification, VPC Lattice returns the `Id` and the `txtMethodConfig`. You use the `txtMethodConfig` to complete the verification of your domain name.
------
#### [ AWS CLI ]
The following `start-domain-verification` command starts a domain name verification:
```
aws vpc-lattice start-domain-verification \
--domain-name example.com
```
The output looks like the following:
```
{
"id": "dv-aaaa0000000111111",
"arn": "arn:aws:vpc-lattice:us-west-2:111122223333:domainverification/dv-aaaa0000000111111",
"domainName": "example.com",
"status": "PENDING",
"txtMethodConfig": {
"value": "vpc-lattice:1111aaaaaaa",
"name": "_11111aaaaaaaaa"
}
}
```
VPC Lattice returns the `Id` and the `txtMethodConfig`. You use the `txtMethodConfig` to complete the verification of your domain name. In this example, the `txtMethodConfig` is the following:
```
txtMethodConfig": {
"value": "vpc-lattice:1111aaaaaaa",
"name": "_11111aaaaaaaaa"
}
```
------
## Complete the domain name verification
To complete the domain name verification, you add a TXT record in your DNS zone. If you use Route 53, use your domain name's hosted zone. When you verify a domain name, any subdomains are also verified. For instance, if you verify `example.com`, you can associate a resource configuration with `alpha.example.com` and `beta.example.com` without performing any additional verification.
To create a TXT record using the AWS Management Console, see [Creating records by using the Amazon Route 53 console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html).
**To create a TXT record using the AWS CLI for Route 53**
1. Use the [change-resource-record-sets](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/r53/change-resource-record-sets.html) command with the following example `TXT-record.json` file:
```
{
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "_11111aaaaaaaaa",
"Type": "TXT",
"ResourceRecords": [
{
"value": "vpc-lattice:1111aaaaaaa"
}
]
}
}
]
}
```
1. Use the following AWS CLI command to add the TXT record from the previous step to a Route 53 hosted zone:
```
aws route53 change-resource-record-sets \
--hosted-zone-id ABCD123456 \
--change-batch file://path/to/your/TXT-record.json
```
Replace the `hosted-zone-id` with the Route 53 Hosted Zone ID of the hosted zone in your account. The change-batch parameter value points to a JSON file (TXT-record.json) in a folder (path/to/your).
To check the verification status of your domain name, you can use the VPC Lattice console or the `get-domain-verification` command.
Once you verify your domain name, it stays verified until you delete it. If you delete the TXT record from your DNS zone, VPC Lattice deletes the `verification-id` and you need to reverify the domain name. If you delete the TXT record in your DNS zone, VPC Lattice sets your domain name verification status to `UNVERIFIED`. This doesn’t impact any existing resource endpoints, service network endpoints, or service network VPC associations to your resource configurations. To reverify your domain name, start the domain name verification process over.
# Create a resource configuration in VPC Lattice
Create a resource configuration.
------
#### [ AWS Management Console ]
**To create a resource configuration using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource configurations**.
1. Choose **Create resource configuration**.
1. Enter a name that is unique within your AWS account. You can't change this name after the resource configuration is created.
1. For **Configuration type**, choose **Resource** for a single or child resource or **Resource group** for a group of child resources.
1. Choose a resource gateway that you previously created or create a one now.
1. (Optional) To enter a custom domain name, do one of the following:
+ If you have a resource configuration of type single, you can enter a custom domain name. Resource consumers can use this domain name to access your resource configurations.
+ If you have a resource configuration of type group and child, you must first specify a group domain on the group resource configuration. Next, the child resource configurations can have custom domains that are subdomains of the group domain.
1. (Optional) Enter the verification ID.
Provide a verification ID if you want your domain name to be verified. This lets resource consumers know that you own the domain name.
1. Choose the identifier for the resource that you want this resource configuration to represent.
1. Choose the port ranges through which you want to share the resource.
1. For **Association settings**, specify whether this resource configuration can be associated with shareable service networks.
1. For **Share resource configuration**, choose the resource shares that identify the principals who can access this resource.
1. (Optional) For **Monitoring**, enable **Resource access logs** and the delivery destination if you want to monitor requests and responses to and from the resource configuration.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create resource configuration**.
------
#### [ AWS CLI ]
The following [create-resource-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/vpc-lattice/create-resource-configuration.html) command creates a single resource configuration and associates it with the custom domain name `example.com`.
```
aws vpc-lattice create-resource-configuration \
--name my-resource-config \
--type SINGLE \
--resource-gateway-identifier rgw-0bba03f3d56060135 \
--resource-configuration-definition 'ipResource={ipAddress=10.0.14.85}' \
--custom-domain-name example.com \
--verification-id dv-aaaa0000000111111
```
The following [create-resource-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/vpc-lattice/create-resource-configuration.html) command creates a group resource configuration and associates it with the custom domain name `example.com`.
```
aws vpc-lattice-custom-dns create-resource-configuration \
--name my-custom-dns-resource-config-group \
--type GROUP \
--resource-gateway-identifier rgw-0bba03f3d56060135 \
--domain-verification-identifier dv-aaaa0000000111111
```
The following [create-resource-configuration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/vpc-lattice/create-resource-configuration.html) command creates a child resource configuration and associates it with the custom domain name `child.example.com`.
```
aws vpc-lattice-custom-dns create-resource-configuration \
--name my-custom-dns-resource-config-child \
--type CHILD \
--resource-configuration-definition 'dnsResource={domainName=my-alb-123456789.us-west-2.elb.amazonaws.com,ipAddressType=IPV4}' \
--resource-configuration-group-identifier rcfg-07129f3acded87626 \
--custom-domain-name child.example.com
```
------
# Manage associations for a VPC Lattice resource configuration
Consumer accounts with which you share a resource configuration with and clients in your account can access the resource configuration either directly using a VPC endpoint of type resource or through a VPC endpoint of type service-network. As a result, your resource configuration will have endpoint associations and service network associations.
## Manage service network resource associations
Create or delete a service network association.
**Note**
If you receive an access-denied message while creating the association between the service network and resource configuration, check your AWS RAM policy version and ensure that it is version 2. For more information, see the [AWS RAM user guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).
**To manage a service-network association using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **PrivateLink and Lattice**, choose **Resource configurations**.
1. Select the name of the resource configuration to open its details page.
1. Select **Service network associations** tab.
1. Choose **Create associations**.
1. Select a service network from **VPC Lattice service networks**. To create a service network, choose **Create a VPC Lattice network**.
1. (Optional) To add a tag, expand **Service association tags**, choose **Add new tag**, and enter a tag key and tag value.
1. (Optional) To enable private DNS names for this service network resource association choose **enable private DNS name**. For more information, see [Custom domain names for service network owners](resource-configuration.md#resource-configuration-custom-domain-name-service-network-owners).
1. Choose **Save changes**.
1. To delete an association, select the check box for the association and then choose **Actions**, **Delete**. When prompted for confirmation, enter **confirm** and then choose **Delete**.
**To create a service network association using the AWS CLI**
Use the [create-service-network-resource-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-service-network-resource-association.html) command.
**To delete a service network association using the AWS CLI**
Use the [delete-service-network-resource-association](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/delete-service-network-resource-association.html) command.
## Manage resource VPC endpoint associations
Consumer accounts with access to your resource configuration or clients in your account can access the resource configuration using a resource VPC endpoint. If your resource configuration has a custom domain name, you can use enable private DNS to allow VPC Lattice to provision private hosted zones for your resource endpoint or service-network endpoint. With this, clients can directly curl the domain name to access the resource configuration. For more information, see [Custom domain names for resource consumers](resource-configuration.md#custom-domain-name-resource-consumers).
------
#### [ AWS Management Console ]
1. To create a new endpoint association, go to **PrivateLink and Lattice** in the left navigation pane and choose **Endpoints**.
1. Choose **Create endpoints**.
1. Select the resource configuration you want to connect to your VPC.
1. Select the VPC, subnets and security groups.
1. (Optional) To turn on private DNS and configure DNS options, select **Enable private DNS name**.
1. (Optional) To tag you VPC endpoint, choose **Add new tag**, and enter a tag key and tag value.
1. Choose **Create endpoint**.
------
#### [ AWS CLI ]
The following [create-vpc-endpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-vpc-endpoint.html) command creates a VPC endpoint that uses private DNS. The private DNS preferences are set to `VERIFIED_AND_SELECTED` and the selected domains are `example.com` and `example.org`. VPC Lattice only provisions private hosted zones for any verified domains or `example.com` or `example.org`.
```
aws ec2 create-vpc-endpoint \
--vpc-endpoint-type Resource \
--vpc-id vpc-111122223333aabbc \
--subnet-ids subnet-0011aabbcc2233445 \
--resource-configuration-arn arn:aws:vpc-lattice:us-west-2:111122223333:resourceconfiguration/rcfg-07129f3acded87625 \
--private-dns-enabled \
--private-dns-preferences VERIFIED_DOMAINS_AND_SPECIFIED_DOMAINS \
--private-domains-set example.com, example.org
```
------
**To create a VPC endpoint association using the AWS CLI**
Use the [create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) command.
**To delete a VPC endpoint association using the AWS CLI**
Use the [delete-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoint.html) command.