Amazon CodeCatalyst will no longer be open to new customers starting on November 7, 2025. If you would like to use the service, please sign up prior to November 7, 2025. For more information, see [Migrating from Amazon CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/migration.html).

# Connecting an Amazon VPC to an Amazon CodeCatalyst space
Connecting a VPC to a space

*Amazon Virtual Private Clouds* (Amazon VPCs) are virtual networks that provide extra security to your application by isolating it from the public internet. By connecting to an Amazon VPC, users can securely run workflow actions and create Dev Environments linked to your VPC in CodeCatalyst. You can set a default VPC connection for a space, so that all workflow runs and Dev Environments will run connected to that VPC.

A *VPC connection* is a CodeCatalyst resource which contains all of the configurations needed for your workflow to access a VPC. Space administrators can add their own VPC connections in the Amazon CodeCatalyst console on behalf of space members. By adding a VPC connection, space members can run workflow actions and create Dev Environments that adhere to network rules and can access resources in the associated VPC.

For more information about setting up a VPC, see the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Introduction.html).

**Considerations for administering VPC connections**
+ You must have the **Space administrator** role or **Power user** role to manage VPC connections at the space level.
+ **Project administrators** can associate a VPC connection to their environment and **Contributors** can associate that VPC-connected environment with a workflow. When administering VPC connections as a **Space administrator**, you are maintaining these resources on behalf of space members.

**Topics**
+ [

## Use cases
](#managing-vpcs.use-cases)
+ [

## How do I get started with VPC connections?
](#managing-vpcs.how-to)
+ [

## Limitations of VPC connections in CodeCatalyst
](#managing-vpcs.limitations)
+ [

# Setting up an Amazon VPC
](managing-vpcs.set-up.md)
+ [

# Adding VPC connections for a space
](managing-vpcs.add.md)
+ [

# Configuring VPC endpoints for a space
](managing-vpcs.endpoint.md)
+ [

# Managing a default VPC connection for a space
](managing-vpcs.default.md)
+ [

# Editing VPC connections for a space
](managing-vpcs.edit.md)
+ [

# Removing VPC connections for a space
](managing-vpcs.remove.md)

## Use cases


VPC connectivity from CodeCatalyst actions makes it possible to:
+ Run a workflow action that follows the network rules of a VPC connection.
+ Run a workflow action that accesses resources running in a VPC.
+ Deploy an update to an Amazon EKS cluster running in a VPC.

## How do I get started with VPC connections?


The high-level steps to add and use a VPC connection are as follows:

1. In the AWS Management Console, **create an Amazon Virtual Private Cloud (VPC)** or use an existing VPC. A VPC is a virtual network that provides extra security to your application by isolating it from the public internet and allows you to securely run your workflow actions in CodeCatalyst. In order for your VPC to work with CodeCatalyst, it must have a certain configuration. For more information, see [Amazon VPC setup requirementsVPC requirements](managing-vpcs.set-up.md#managing-vpcs.requirements). 

1. In your CodeCatalyst space settings, **create a VPC connection**. A *VPC connection* is a CodeCatalyst resource which contains all of the configurations needed for a workflow to access a VPC. For more information, see [Adding VPC connections for a spaceAdding VPC connections for a space](managing-vpcs.add.md). 

1. Associate this VPC connection with an **environment** to use with your workflow actions. For more information, see [ Associating a VPC connection with an environment](https://docs.aws.amazon.com/codecatalyst/latest/userguide/deploy-environments-associate-vpc.html) in the *CodeCatalyst User Guide*.

1. Within a workflow, associate the VPC-connected environment to your **workflow action**. When an action is configured with an environment that has a VPC connection, the action will run connected to the VPC, adhere to the network rules, and access resources specified by the associated VPC. For more information, see [ Associating an environment, account connection, and IAM role with a workflow action](https://docs.aws.amazon.com/codecatalyst/latest/userguide/deploy-environments-add-app-to-environment.html) in the *CodeCatalyst User Guide*.

1. Create a **Dev Environment** associated to your VPC connection. For more information, see [ Creating a Dev Environment](https://docs.aws.amazon.com/codecatalyst/latest/userguide/devenvironment-create.html) in the *CodeCatalyst User Guide*.

## Limitations of VPC connections in CodeCatalyst

+ CodeCatalyst only supports creating VPC connections in the same region. For more information on the available regions, see [CodeCatalyst VPC endpoint service names](managing-vpcs.endpoint.md#managing-vpcs.endpoint-service-names).
+ CodeCatalyst does not support VPC connectivity with the Lambda compute type. Instead, use the Amazon EC2 compute type.
+ CodeCatalyst does not support VPC connectivity with Windows. Instead, use Linux.
+ VPC connectivity may lead to longer action run times.

# Setting up an Amazon VPC
Setting up a VPC

Use the following procedure to create a VPC.

**To create a VPC**
+ Follow the instructions in the *Amazon VPC User Guide* for [Creating a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources). While following these instructions, keep in mind the VPC requirements needed to work with CodeCatalyst.

For a tutorial that uses CloudFormation to create a VPC, see [AWS Solution: Amazon Virtual Private Cloud on AWS](https://aws.amazon.com/solutions/implementations/vpc/).

## Amazon VPC setup requirements
VPC requirements

In order for a VPC to work with CodeCatalyst, it must have the following requirements:
+ For **Number of public subnets**, make sure that you have at least one [public subnet](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-types) in any Availability Zone.
+ For **Number of private subnets**, make sure that you have one [private subnet](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html#subnet-types) in each available Availability Zone in a region.
+ Make sure your VPC has access to the internet. This can be done by adding a route with a destination of `0.0.0.0/0` to an [internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-internet-gateway) and a [NAT device](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-nat).
+ Make sure that the routing table for private subnets points to the NAT gateway. For more information, see [Routing to a NAT device](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-nat) in the *Amazon VPC User Guide*.
+ Make sure that your internet gateway is attached to the VPC. Public subnets should have a routing table to the internet gateway. For more information, see [Routing to an internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-internet-gateway) in the *Amazon VPC User Guide*.
+ Make sure that your security groups allow outbound traffic.
+ Make sure that your IPv4 CIDR block is **not** configured to the `172.16.0.0/12` IP address range. For more information, see [IPv4 VPC CIDR blocks](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html#vpc-sizing-ipv4) in the *Amazon VPC User Guide*.
+ As a best practice, make sure that your security groups have no inbound traffic allowed, unless you specifically require this for other reasons.
+ CodeCatalyst does not support assigning a public IP address to the network interfaces that it creates. One way to do this, is to add a NAT device to use CodeCatalyst with your VPC. For more information, see [Connect to the internet or other networks using NAT devices](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html) in the *Amazon VPC User Guide*.

## Troubleshooting your VPC setup


Use the information that appears in the error message to help you identify, diagnose, and address issues.

The following are some guidelines to assist you when troubleshooting common VPC errors:

1. [Make sure that your internet gateway is attached to VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway).

1. [Make sure that the route table for your public subnet points to the internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#route-tables-internet-gateway).

1. [Make sure that your network ACLs allow traffic to flow](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules).

1. [Make sure that your security groups allow traffic to flow](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules).

1. [Troubleshoot your NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC-nat-gateway.html#nat-gateway-troubleshooting).

1. [Make sure that the route table for private subnets points to the NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#route-tables-nat).

1. [Make sure that your IPv4 CIDR block is not configured to the `172.16.0.0/12` IP address range](https://docs.aws.amazon.com/codecatalyst/latest/userguide/devenvironments-troubleshooting.html#troubleshooting-devenvironments-vpc).

# Adding VPC connections for a space
Adding VPC connections for a space

You can add VPC connections in the Amazon CodeCatalyst console.

You must have the **Space administrator** role or **Power user** role to manage VPC connections at the space level.

**To add VPC connections**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **VPC connections**.

   The page lists all VPC connections in your space. You can view the **VPC connection name** name, the **VPC ID**, and the associated **AWS account connection**.

1. Choose **Add VPC connection**.

1. In **AWS account connection**, do the following:
   + For **AWS account connection**, choose a connection from the drop-down menu.

     For more information about connections, see [ Adding an AWS account to a space ](https://docs.aws.amazon.com/codecatalyst/latest/userguide/ipa-connect-account-create.html) in the *CodeCatalyst User Guide*.
**Note**  
If you associate your VPC connection with a project-restricted AWS account connection, your VPC connection will only have access to specific projects and cannot be set as default. For more information, see [Enabling or disabling project-restricted account connections](managing-accounts-restriction.md).
   + For **VPC role**, choose a role from the drop-down menu and then choose **Next**.
     + We recommend that the `ArnLike` field for your trust policy contains the following:

       ```
       {
         "aws:SourceArn": [
           "arn:aws:codecatalyst:::space/<space-id>",
           "arn:aws:codecatalyst:::space/<space-id>/project/*"
         ]
       }
       ```

       Adding this `SourceArn` condition in your trust policy ensures that the VPC role is only used for the specified space.
**Note**  
Understand that VPC connections are a space level resource, meaning that your VPC can be accessed by different projects. You can restrict access by configuring your VPC role trust policy with a specific `projectId` instead of instead of `*`.
     + The `Action` field for your permission policy must contain the following:

       ```
       [
         "ec2:CreateNetworkInterface",
         "ec2:DescribeDhcpOptions",
         "ec2:DescribeNetworkInterfaces",
         "ec2:DeleteNetworkInterface",
         "ec2:DescribeSubnets",
         "ec2:DescribeSecurityGroups",
         "ec2:DescribeVpcs"
       ]
       ```

     This **VPC role** will be used to populate the **VPC**, **Subnets**, and **Security groups** drop-down menus and establish VPC connectivity with CodeCatalyst actions.

     For more information about roles, see [ Managing IAM roles for connected accounts ](https://docs.aws.amazon.com/codecatalyst/latest/userguide/spaces-manage-roles.html) in the *CodeCatalyst User Guide*.

1. In **VPC connection details**, do the following:
   + For **VPC**, choose a VPC from the drop-down menu.

     For more information, see [Create a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html) in the *Amazon VPC User Guide*.
   + In **Subnets**, choose *private* subnets to connect to in each availability zone from the drop-down menus. Do not choose public subnets.

     For more information, see [Create a subnet](https://docs.aws.amazon.com/vpc/latest/userguide/create-subnets.html) in the *Amazon VPC User Guide*.
   + In **Security groups**, select the groups from the drop-down menu. You can select up to five security groups.

     For more information, see [Security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the *Amazon VPC User Guide*.
   + In **VPC connection name**, enter the reference name for your VPC connection then choose **Next**.
**Note**  
Each VPC connection name must be unique per space.

1. After you've reviewed your selections, choose **Add VPC connection**.

1. You can now associate this VPC connection with an environment to use with your workflow actions or create a Dev Environment associated to your VPC connection. For instructions, see [ Associating a VPC connection with an environment](https://docs.aws.amazon.com/codecatalyst/latest/userguide/deploy-environments-managing-environment.html#deploy-environments-associate-vpc) or [ Using Dev Environments with a VPC connection](https://docs.aws.amazon.com/codecatalyst/latest/userguide/devenvironment-using-vpc.html) in the *CodeCatalyst User Guide*.

# Configuring VPC endpoints for a space
Configuring VPC endpoints for a space

VPCs allow you to define a virtual network that isolates AWS resources, securely connects to remote networks, and safely accesses service endpoints through AWS PrivateLink. AWS PrivateLink is used to generate private endpoints which keep all the network traffic within the AWS network. When connected to a VPC, you can create VPC endpoints that will allow CodeCatalyst to communicate directly with certain services rather than through the internet.

For more information about PrivateLink and VPC endpoints, see [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html).

Use the following procedure to configure VPC endpoints for a space.

------
#### [ AWS console ]

**To configure VPC endpoints using the AWS console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Endpoints** and then choose **Create endpoint**.

1. In **Endpoint settings**, do the following:
   + (Optional) For **Name tag**, enter a reference name for your endpoint.

1. In **Services**, enter your specified service name and then select it. For more information, see [CodeCatalyst VPC endpoint service names](#managing-vpcs.endpoint-service-names).

1. In **VPC**, choose the VPC in which to create your endpoint.
   + For **Additional settings**, leave the default.

1. In **Subnets**, select the same private subnets that you associated with your VPC connection to connect to in each availability zone:
   + In **IP address type**, select **IPv4**. This enables the endpoint service to accept IPv4 requests.

1. In **Security groups**, select the same security groups that you associated with your VPC connection then choose **Create endpoint**.

1. After your VPC endpoint is created, choose that endpoint, and then choose **Modify private DNS name**.

1. In **Enable private DNS names**, select **Enable for this endpoint**.

------
#### [ AWS CLI ]

**To configure VPC endpoints using the AWS CLI**

1. If you haven't done so already, [set up the AWS CLI for CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/set-up-cli.html).

1. Run this command to sign-in to Amazon CodeCatalyst using AWS IAM Identity Center:

   ```
   aws sso login --profile codecatalyst
   ```

1. Create your VPC endpoint:

   ```
   aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name <service-name> --subnet-ids <subnet-ids> --security-group-ids <security-group-ids> --private-dns-enabled
   ```

   For more information on service names, see [CodeCatalyst VPC endpoint service names](#managing-vpcs.endpoint-service-names).

------

## CodeCatalyst VPC endpoint service names


You can create VPC endpoints for these services, if you would prefer for CodeCatalyst to utilize these endpoints.
+ Source:
  + Regions: `us-west-2`, `eu-west-1`
  + Service name: `com.amazonaws.<region>.codecatalyst.git`
+ API:
  + Regions: `us-west-2`, `eu-west-1`
  + Service name: `aws.api.global.codecatalyst`
+ Packages:
  + Regions: `us-west-2`, `eu-west-1`
  + Service name: `com.amazonaws.<region>.codecatalyst.packages`

# Managing a default VPC connection for a space
Managing a default VPC connection for a space

You can set a default VPC connection for a space. If you choose to set a default VPC connection, all workflow runs and Dev Environments in your space will run connected to the default VPC connection. You can override this by associating a different VPC connection in your workflow action or Dev Environment.

You must have the **Space administrator** role or **Power user** role to manage VPC connections at the space level.

**Topics**
+ [

## Setting a default VPC connection
](#managing-vpcs.default.set)
+ [

## Removing a default VPC connection
](#managing-vpcs.default.remove)

## Setting a default VPC connection


Use the following procedure to set a default VPC connection.

**To set a default VPC connection**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **VPC connections**.

   The page lists all VPC connections in your space. You can view the **VPC connection name** name, the **VPC ID**, and the associated **AWS account connection**.

1. Choose the VPC connection name that you want to set as default.
**Note**  
If your VPC connection is associated with a project-restricted AWS account, your VPC connection will only have access to specific projects and cannot be set as default. For more information, see [Enabling or disabling project-restricted account connections](managing-accounts-restriction.md).

1. Choose **Manage default**, choose **Set as default** from the drop-down menu, then choose **Confirm**.

## Removing a default VPC connection


Use the following procedure to remove a default VPC connection.

**To remove a default VPC connection**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **VPC connections**.

   The page lists all VPC connections in your space. You can view the **VPC connection name** name, the **VPC ID**, and the associated **AWS account connection**.

1. Choose the default VPC connection name.

1. Choose **Manage default**, choose **Remove as default** from the drop-down menu, then choose **Confirm**.

# Editing VPC connections for a space
Editing VPC connections for a space

You can edit the configuration for a VPC connection, such as the associated subnets or security groups.

You must have the **Space administrator** role or **Power user** role to manage VPC connections at the space level.

**Warning**  
 While VPC-connected workflows are in progress, we recommended that you do not edit your VPC connection or your VPC role. If the associated VPC is edited while your workflow is in progress, your workflow will continue to run with the initial VPC connection. If a VPC role is edited to remove necessary permissions while your workflow is in progress, you will not be able to cleanup your resources. 

**To edit VPC connections**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **VPC connections**.

   The page lists all VPC connections in your space. You can view the **VPC connection name** name, the **VPC ID**, and the associated **AWS account connection**.

1. Choose the VPC connection name that you want to manage, and then choose **Edit**.

1. Edit your VPC connection as needed, and then choose **Update VPC connection**.

# Removing VPC connections for a space
Removing VPC connections for a space

You can remove a VPC connection that is no longer needed or that no longer has an owner.

You must have the **Space administrator** role or **Power user** role to manage VPC connections at the space level.

**Warning**  
 While VPC-connected workflows are in progress, we recommended that you do not delete your VPC connection or your VPC role. If the associated VPC is deleted while your workflow is in progress, your workflow will continue to run with the initial VPC connection. 

**To remove VPC connections**

1. Open the CodeCatalyst console at [https://codecatalyst.aws/](https://codecatalyst.aws/).

1. Navigate to your CodeCatalyst space.
**Tip**  
If you belong to more than one space, choose a space in the top navigation bar.

1. Choose **Settings**, and then choose **VPC connections**.

   The page lists all VPC connections in your space. You can view the **VPC connection name** name, the **VPC ID**, and the associated **AWS account connection**.

1. Choose the selector next to the VPC connection you want to manage. Choose **Remove VPC connection**. To confirm, type the VPC connection name, and then choose **Remove**.