About VPC Endpoints

Virtual Private Cloud (VPC) endpoints enable instances placed in a VPC to access another OUTSCALE service using a private connection, which avoids using a VPN connection or a DirectLink connection.

For more information about OUTSCALE services, see OUTSCALE APIs Reference and OUTSCALE Object Storage (OOS).

VPC endpoints enable you to create a private connection between your VPC and another OUTSCALE service within the same Region as the VPC. Using the VPC endpoint, instances in your VPC communicate with resources of the other service using their private IPs. When using this solution, network traffic remains within 3DS OUTSCALE network.

When creating a VPC endpoint, you specify the name of the service prefix list, which is a list of network prefixes used by this service in CIDR notation. Each prefix list is composed of an ID in the pl-xxxxxxxx format, and a name to identify the service it is associated with in the com.outscale.<REGION>.<SERVICE> format.

You also need to specify one or more route tables to associate with the VPC endpoint, when creating it or once created. The appropriate routes are then automatically added to these route tables to route the traffic of their associated subnets destined to the service to the VPC endpoint. These routes have the corresponding prefix list ID as destination, representing the range of IPs used by the service, and the VPC endpoint ID as target. All instances placed in these subnets therefore use the VPC endpoint to access the service within the VPC Region.

VPC Endpoint Architecture

sch General VPCEndpoints

  • If you do not specify any route table when creating the VPC endpoint, you need to add them after creation to automatically create the appropriate routes in the specified route tables. For more information, see Adding or Removing a Route Table Associated with a VPC Endpoint.

  • As the most specific destination match is used to determine the route that applies, if the route tables contain a route directing all Internet traffic (0.0.0.0/0 CIDR block) to an Internet gateway or a NAT gateway, the route using the VPC endpoint takes precedence over the Internet one when directing traffic to the service within the Region. The Internet route is used for all other Internet traffic, including traffic to other 3DS OUTSCALE services or to traffic to this service in another Region.

The default security group for your VPC allows all outbound traffic. If you created a custom security group or modified the outbound rule of the default security group, you need to add an outbound rule allowing traffic to the appropriate service. To do so, you can use its prefix list ID. For more information, see Adding Rules to a Security Group.

You cannot transfer a VPC endpoint to another VPC. You need to create a new one and, if needed delete the previous VPC endpoint.

A VPC endpoint can be in one of the following states:

  • Pending: The creation process is in progress.

  • Available: The VPC endpoint is created and can be used to forward traffic to an OUTSCALE service.

  • Deleting: The deletion process is in progress.

  • Deleted: The VPC endpoint is deleted.

Related Pages