Claude Code for AWS PrivateLink Workflow
AWS PrivateLink provides secure, private connectivity between AWS services, your VPCs, and on-premises networks without exposing traffic to the public internet. Managing PrivateLink configurations manually can be complex and error-prone. This guide shows you how to use Claude Code to automate PrivateLink workflows, from initial setup to ongoing management and troubleshooting.
Understanding PrivateLink Architecture
Before diving into automation, it’s essential to understand the key components of PrivateLink architecture. A typical PrivateLink setup involves several interconnected AWS resources that work together to enable private connectivity.
Key Components
The foundation of any PrivateLink implementation starts with the VPC Endpoint. This is the entry point within your VPC that allows private access to AWS services or your own services. The endpoint creates an elastic network interface in your chosen subnets with a private IP address from your VPC’s CIDR range.
Interface VPC endpoints (Powered by AWS PrivateLink) connect you to services powered by AWS PrivateLink, including over 200 AWS services. These endpoints appear as elastic network interfaces with private IPs in your subnets. Gateway endpoints, by contrast, are used for S3 and DynamoDB and work differently—they’re route table targets rather than network interfaces.
When you want to offer your own service through PrivateLink, you create a VPC Endpoint Service. This service references a Network Load Balancer in your VPC that sits in front of your application. Other AWS accounts or your own VPCs can then create VPC Endpoints to connect to your service.
The final piece involves the connection acceptance mechanism. When a consumer creates an endpoint to your service, you must accept the connection. For AWS services, this happens automatically, but for your own endpoint services, manual or automated acceptance is required.
Setting Up Claude Code for AWS Automation
Claude Code can interact with AWS through various mechanisms. The recommended approach uses AWS CLI commands executed through Claude Code’s bash tool. This provides flexibility and works with your existing AWS authentication setup.
First, ensure you have AWS CLI installed and configured with appropriate credentials:
# Verify AWS CLI installation
aws --version
# Configure AWS credentials if needed
aws configure
Make sure your IAM user or role has the necessary permissions for PrivateLink operations. The following IAM policy provides minimum required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:ModifyVpcEndpoint",
"ec2:AcceptVpcEndpointConnections",
"ec2:DescribeVpcEndpointConnections",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:ModifyVpcEndpointServicePermissions"
],
"Resource": "*"
}
]
}
Automating VPC Endpoint Creation
One of the most common PrivateLink tasks is creating VPC endpoints to access AWS services privately. Here’s how to automate this with Claude Code.
Creating Interface Endpoints for AWS Services
When you need to create interface VPC endpoints for AWS services, you can ask Claude Code to generate the appropriate command. Provide details about your VPC, subnets, and the service you want to access.
For example, to create an endpoint for Secrets Manager:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0123456789abcdef0 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.secretsmanager \
--subnet-ids subnet-abc123 subnet-def456 subnet-ghi789 \
--security-group-ids sg-0123456789abcdef0
Claude Code can help you customize this command based on your specific requirements. For instance, you might need to specify a custom security group or enable private DNS:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0123456789abcdef0 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.secretsmanager \
--subnet-ids subnet-abc123 subnet-def456 subnet-ghi789 \
--security-group-ids sg-0123456789abcdef0 \
--private-dns-enabled true \
--tag "Name=secrets-manager-endpoint"
Creating Gateway Endpoints for S3 and DynamoDB
Gateway endpoints are simpler to configure since they only require route table associations. Claude Code can help you set these up quickly:
# Create a gateway endpoint for S3
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0123456789abcdef0 \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-0123456789abcdef0
# Create a gateway endpoint for DynamoDB
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0123456789abcdef0 \
--vpc-endpoint-type Gateway \
--service-name com.amazonaws.us-east-1.dynamodb \
--route-table-ids rtb-0123456789abcdef0
Managing Endpoint Services
If you’re building a service to offer over PrivateLink, Claude Code can help you create and manage endpoint service configurations.
Creating an Endpoint Service
Start by creating a Network Load Balancer in your VPC that forwards traffic to your application. Then create the endpoint service:
aws ec2 create-vpc-endpoint-service-configuration \
--network-load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/my-nlb/abcdef1234567890 \
--accept-allowed-principal "arn:aws:iam::111122223333:root" \
--tag "Name=my-service-endpoint"
The accept-allowed-principal parameter specifies which IAM principals can create endpoints to your service without requiring acceptance. For more restricted access, omit this parameter and manually accept connections.
Accepting Connection Requests
When consumers create endpoints to your service, you need to accept the connections:
# List pending connection requests
aws ec2 describe-vpc-endpoint-connections \
--vpc-endpoint-service-configurations \
--filters "Name=connection-state,Values=pendingAcceptance"
# Accept a connection
aws ec2 accept-vpc-endpoint-connections \
--vpc-endpoint-service-configuration-id vpce-svc-0123456789abcdef0 \
--vpc-endpoint-ids vpce-0123456789abcdef0
Implementing a Complete PrivateLink Workflow
You can create comprehensive automation by combining multiple AWS CLI calls with Claude Code. Here’s a practical workflow pattern.
A Reusable Endpoint Creation Script
Ask Claude Code to create a reusable script for endpoint creation:
#!/bin/bash
# Create VPC endpoint with automatic retry and validation
create_endpoint() {
local vpc_id="$1"
local service_name="$2"
local subnet_ids="$3"
local security_group="$4"
local endpoint_name="$5"
# Validate VPC exists
aws ec2 describe-vpcs --vpc-ids "$vpc_id" > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Error: VPC $vpc_id does not exist"
return 1
fi
# Create endpoint
local result=$(aws ec2 create-vpc-endpoint \
--vpc-id "$vpc_id" \
--vpc-endpoint-type Interface \
--service-name "$service_name" \
--subnet-ids $subnet_ids \
--security-group-ids "$security_group" \
--private-dns-enabled true \
--tag "Name=$endpoint_name" \
--output json)
if [ $? -eq 0 ]; then
echo "Created endpoint: $(echo $result | jq -r '.VpcEndpoint.VpcEndpointId')"
else
echo "Failed to create endpoint"
return 1
fi
}
# Usage examples
create_endpoint "vpc-0123456789abcdef0" \
"com.amazonaws.us-east-1.secretsmanager" \
"subnet-abc123 subnet-def456 subnet-ghi789" \
"sg-0123456789abcdef0" \
"secrets-manager-endpoint"
Troubleshooting Common Issues
Claude Code can help diagnose and resolve common PrivateLink problems.
Connectivity Issues
If endpoints are created but connectivity fails, common causes include security group rules blocking traffic, incorrect route tables for gateway endpoints, or missing private DNS configuration. Here’s a diagnostic approach:
# Describe endpoint status and configuration
aws ec2 describe-vpc-endpoints \
--vpc-endpoint-ids vpce-0123456789abcdef0
# Check security group rules
aws ec2 describe-security-groups \
--group-ids sg-0123456789abcdef0
# Verify route tables for gateway endpoints
aws ec2 describe-route-tables \
--filters "Name=route.vpc-endpoint-id,Values=vpce-0123456789abcdef0"
DNS Resolution Problems
For interface endpoints, ensure private DNS is configured correctly:
# Check endpoint private DNS settings
aws ec2 describe-vpc-endpoints \
--vpc-endpoint-ids vpce-0123456789abcdef0 \
--query 'VpcEndpoints[0].PrivateDnsName'
# Verify VPC DNS settings
aws ec2 describe-vpcs \
--vpc-ids vpc-0123456789abcdef0 \
--query 'Vpcs[0].DhcpOptions.DhcpConfiguration'
Best Practices for PrivateLink Automation
When automating PrivateLink with Claude Code, follow these recommendations for production environments.
Always use tags to identify and manage endpoints across your infrastructure. Tags enable cost tracking, access control, and automated lifecycle management. Implement proper error handling in your scripts, including retry logic for throttling and idempotency checks to prevent duplicate resources.
For security, follow the principle of least privilege when granting permissions. Create dedicated IAM roles for endpoint management rather than using broad permissions. Regularly audit your endpoint configurations to ensure they align with your security requirements.
Finally, consider using AWS CloudFormation or Terraform for infrastructure-as-code approaches, with Claude Code helping to generate and validate the configurations. This provides better versioning, review processes, and drift detection compared to pure CLI-based automation.
By integrating Claude Code into your PrivateLink workflows, you can reduce manual effort, improve consistency, and catch configuration errors before they impact your production environment.
Related Reading
- Claude Code for Beginners: Complete Getting Started Guide
- Best Claude Skills for Developers in 2026
- Claude Skills Guides Hub
Built by theluckystrike — More at zovo.one