Use VPC Endpoints for Java Workloads on Elastic Beanstalk¶
This tutorial shows how to keep traffic to selected AWS services inside your VPC by using VPC endpoints with Elastic Beanstalk. It is most useful for private environments that access S3, DynamoDB, or Secrets Manager.
Prerequisites¶
- Elastic Beanstalk environment deployed into a VPC.
- Familiarity with route tables and security groups.
- Target AWS services identified for private connectivity.
What You'll Build¶
You will build:
- Gateway or interface endpoints for required AWS services.
- Security controls that allow private service access.
- Spring Boot integrations that continue using normal AWS SDK endpoints.
Steps¶
- Create the required VPC endpoint.
aws ec2 create-vpc-endpoint --vpc-id "$VPC_ID" --service-name "com.amazonaws.$REGION.s3" --vpc-endpoint-type Gateway --route-table-ids "rtb-xxxxxxxx" --region "$REGION"
- For interface endpoints, attach security groups that allow HTTPS from the application subnets.
- Keep your Java SDK code unchanged unless you require explicit endpoint overrides.
- Verify that route tables or DNS resolution direct traffic to the endpoint.
- Redeploy or restart the environment if you also update security groups or network settings.
flowchart LR
A[Elastic Beanstalk Instances in Private Subnets] --> B[VPC Endpoint]
B --> C[Amazon S3 or Secrets Manager or DynamoDB]
D[Route Tables and Security Groups] --> BVerification¶
Run these checks after the network update:
aws ec2 describe-vpc-endpoints --filters "Name=vpc-id,Values=$VPC_ID" --region "$REGION"
eb logs --all
Expected outcomes:
- Required VPC endpoints exist and are in the
availablestate. - Application traffic to supported AWS services stays inside the VPC path.
- Logs do not show public egress dependency for those services.