BlowStack logoBlowStack logo
Practice exams Blog Tools Cheat sheets
Cloud Experts
5 min.

AWS service endpoints

AWS service endpoints are public access points for programmatically interacting with AWS services or for referencing them.

TABLE OF CONTENTS
  1. Global or Regional
  2. Dual stack endpoints
  3. FIPS endpoints
  4. References

AWS service endpoints are typically public URLs using the HTTPS protocol. While these endpoints are a fundamental part of the AWS ecosystem, they usually operate behind the scenes.

 

Users generally need to specify these endpoints when they are working with a service in a region different from their default, or when setting up configurations for other services. For instance, you might specify a non-default endpoint when interacting with an AWS service in a specific region, or use an S3 endpoint as a reference for custom origins when configuring a CloudFront distribution for web hosting.

 

Every AWS service endpoint is comprised of a protocol name, a service code name that identifies the specific AWS service being invoked, and the AWS domain.

 

 

Global or Regional

 

Endpoints in AWS are classified into two distinct categories: Global and Regional. The classification depends on the nature of the service being used. Dive into this article to explore the nuances of global and regional services - what is global and regional service.

 

 

Global endpoints are solely used by AWS global services that include (this is full list):

 

  • Amazon CloudFront

 

  • AWS Global Accelerator

 

  • AWS Identity and Access Management (IAM)

 

  • AWS Network Manager

 

  • AWS Organizations

 

  • Amazon Route 53

 

  • AWS Shield Advanced

 

  • AWS WAF Classic

 

 

 

All of these services can be invoked with the following schema:

 

protocol://service-code.amazonaws.com

 

 

On the other hand regional endpoints are used by regional services (the all other services not listed as Global above) like:

 

  • RDS

 

  • EC2

 

  • DynamoDB

 

  • S3 (its actutally quasi global-regional service

 

  • Redshift

 

  • ECS (Elastic Container Service)

 

  • EKS (Elastic Kubernetes Service)

 

  • Lambda

 

 

Regional endpoint schema:

 

protocol://service-code.region-code.amazonaws.com

 

 

Dual stack endpoints

 

Additonaly there are dual stack endpoints which enables you to communicate with AWS services with either IPv4 or IPv6. This can come handy for applications in environments where both protocols are used.

 

Dual stack endpoints can be used either with regional or global services. In order use them a region has to be specified or AWS_USE_DUALSTACK_ENDPOINT flag (for global services) set in AWS CLI. 

 

Dual stack endpoints can be used with the following regional services:

 

  • Application Load Balancer

 

  • AWS S3

 

  • Amazon EC2

 

  • Amazon API Gateway

 

  • Amazon SQS

 

  • Amazon SNS

 

 

Dual stack endpoints can be used with the following global services:

 

  • Amazon CloudFront

 

  • AWS Route 53

 

  • AWS Global Accelerator

 

  • AWS WAF (quasi global-regional service)

 

 

 

Dual stack default endpoint schema:

 

protocol://service-code.region-code.api.aws

 

There is also two dual stack schemas reserved for S3 service (virtual hosted-style and path-style respectively):

 

bucketname.s3.dualstack.region-name.amazonaws.com
s3.dualstack.aws-region.amazonaws.com/bucketname

 

 

Dual stack endpoints have limited availability to the following regions:

 

  • us-east-1 - US East (Northern Virginia)

 

  • us-east-2 - US East (Ohio)

 

  • us-west-2 - US West (Oregon)

 

  • eu-west-1 - Europe (Ireland)

 

  • ap-south-1 - Asia Pacific (Mumbai)

 

  • sa-east-1 - South America (São Paulo)

 

  • us-gov-east-1 - AWS GovCloud (US-East)

 

  • us-gov-west-1 - AWS GovCloud (US-West)

 

 

FIPS endpoints

 

Numerous AWS services support invocation through FIPS endpoints, which adhere to the Federal Information Processing Standards (FIPS) utilized by the US and Canadian governments, particularly concerning data encryption methodologies. They are usually used when interacting with government

 

FIPS endpoint are only available in US and Canada regions:

 

  • us-east-1 - US East (Northern Virginia)

 

  • us-east-2 - US East (Ohio)

 

  • us-west-1 - US West (N. California)

 

  • us-west-2 - US West (Oregon)

 

  • ca-central-1 - Canada (Central)

 

  • us-gov-east-1 - AWS GovCloud (US-East)

 

  • us-gov-west-1 - AWS GovCloud (US-West)

 

 

To utilize FIPS endpoints, you can activate them either by enabling the AWS_USE_FIPS_ENDPOINT flag or by setting the use_fips_endpoint option to 'true' in the AWS CLI configuration file located at ~/.aws/config. This configuration ensures that all AWS service interactions adhere to FIPS encryption standards. Alternatively for some, you can employ the FIPS endpoint schema along with the --endpoint-url parameter in the AWS CLI.

 

FIPS endpoint default endpoint schema:

 

protocol://service-code-fips.region-code.amazonaws.com

 

 

References

 

AWS service endpoints

Using Amazon S3 dual-stack endpoints

Dual-stack and FIPS endpoints - AWS SDKs and Tools

Using Amazon S3 dual-stack endpoints - Amazon Simple Storage Service

Amazon EC2 service endpoints - Amazon Elastic Compute Cloud

Dual-stack IPv6 architectures for AWS and hybrid networks

AWS services that support IPv6 - Amazon Virtual Private Cloud

Introducing dual-stack and IPv6-only support for Amazon Route 53 Resolver Endpoints

Announcing AWS Global Accelerator IPv6 support for Amazon EC2 endpoints

Federal Information Processing Standard (FIPS) 140-2

Related Posts

Is AWS Certification worth it

Getting AWS certified is becoming a must have for anyone truly interested in working with AWS Cloud as a professional. There are 3 main reasons for that: requirements of AWS Partner program, learning process and your visibility on the market.

Application configuration and credentials security in AWS

Securing application configuration and credentials is vital for both the functioning of the application and controlling access to it

Secure application access in AWS

Secure access to applications is directly related to both how users access these applications and how the applications themselves access other applications and resources in AWS

AWS security services with appropriate use cases

Comprehensive overview of AWS security services for workloads and applications

Threat vectors external to AWS

Overview of threat vectors external to AWS infrastructure but impacting AWS resources, services and user applications.

Control ports, protocols, and network traffic on AWS

Summary of AWS networking features and services.

#design-secure-architectures-aws-certified-solutions-architect-associate-saa-c03-domain-1

Related Posts

Is AWS Certification worth it

Date undefined min.

Getting AWS certified is becoming a must have for anyone truly interested in working with AWS Cloud as a professional. There are 3 main reasons for that: requirements of AWS Partner program, learning process and your visibility on the market.

Application configuration and credentials security in AWS

Securing application configuration and credentials is vital for both the functioning of the application and controlling access to it

Secure application access in AWS

Secure access to applications is directly related to both how users access these applications and how the applications themselves access other applications and resources in AWS

AWS security services with appropriate use cases

Comprehensive overview of AWS security services for workloads and applications

Threat vectors external to AWS

Overview of threat vectors external to AWS infrastructure but impacting AWS resources, services and user applications.

Control ports, protocols, and network traffic on AWS

Summary of AWS networking features and services.