AWS Logo
Menu

Access Amazon OpenSearch Serverless VPC endpoint with AWS Verified Access

Customers configure VPC endpoints to keep Amazon OpenSearch Serverless (AOSS) traffic within the VPC. To access AOSS externally, VPN is often used. AWS Verified Access provides secure AOSS access without VPN overhead, offering fine-grained access control. This article covers accessing AOSS using AVA.

amazon-opensearchaws-verified-accesszero-trust
John
Amazon Employee
Published Apr 10, 2025

Introduction

Customers who want to limit access to Amazon OpenSearch Serverless (AOSS) collection endpoints may configure VPC endpoints to keep the traffic within the VPC. For cases where customers want to access the AOSS endpoints outside the VPC, such as when they work remotely, they often establish a VPN connection to the VPC. AWS Verified Access (AVA) provides access to customer VPC resources without the overhead of managing a VPN while providing fine-grain access control. This article shows how to access an AOSS collection VPC endpoint using AVA, with Postman as the client.
 

Prerequisites

  • Deploy an AOSS collection with VPC endpoint
    • Ensure the Network and Data access policies allows access to the endpoint, collections, and indexes you would like to access through AVA
  • Download Postman or another API client to invoke the AOSS API

Step 1 - Gather VPC endpoint information for AOSS

Using the AWS console, navigate to the AOSS Collections page and gather the following information (see Diagram 1).
  • AOSS VPC endpoint ID
  • OpenSearch endpoint
Diagram 1
Within the AWS console, navigate to the VPC page and select Endpoints on the navigation section. Select the Endpoint with the ID of the AOSS VPC Endpoint ID that you gathered previously. In the VPC endpoint details page, gather the following information (see Diagram 2):
  • VPC ID
  • Network Interface ID
Diagram 2
Finally, in the VPC Endpoint page, click on the link for the Network Interface ID. In the network interface page, note the Security Group for the network interface (see Diagram 3).
Diagram 3

Step 2 - Deploy AVA and configure to access AOSS

Ensure you have the proper permissions to create and configure a Verified Access instance. Follow the Get started tutorial to create the AVA instance, trust provider, and group. Attach an access policy to the group. You can use one of the access policy examples for the policy.

Step 3 – Create an AVA Network Interface Endpoint

The next step is to create an AVA endpoint to the AOSS VPC endpoint using the TCP protocol. Use the following settings (see Diagram 4):
  • Verified Access group: Set to the group you created in Step 2
  • Protocol: TCP
  • Attachment type: VPC
  • VPC: The VPC ID of the VPC Endpoint you gathered in Step 1
  • Endpoint type: Network Interface
  • Port Ranges: 443-443
  • Network Interface: The Network Interface ID you gathered in Step 1
  • Security groups: The security group you gathered in Step 1. You may optionally create another security group for the AVA endpoint. If you do this, ensure that the security group of the network interface in Step 1 allows communication from the AVA endpoint security group.
Diagram 4
After you create the AVA endpoint, view the AVA endpoint details. Make note of the Endpoint domain (see Diagram 5).
Diagram 5

Step 4 - Download and install the AVA Connectivity Client

Download the AVA Connectivity Client and install on your computer, as described here.
Make sure you export the client configuration file and save it to the correct location on your computer.

Step 5 - Connect to the AVA instance

Launch the Connectivity Client, authenticate with the AVA trust provider you configured in Step 2, and wait for the connection to the AVA endpoint to establish.

Step 6 - Access AOSS endpoint through Postman

In order to invoke the AOSS API, you will need to create an AWS SigV4 signature. In this article, I will use the Postman built-in support for creating the SigV4 signature.

AWS Credentials

First, get AWS credentials for Postman. A best practice is to obtain temporary credentials using STS. An example of this using the AWS CLI is documented here. Make note of the AccessKey, SecretKey, and Session Token information.

Configure Postman Authorization

Launch Postman and create a new Request. Within the Request page, select the Authorization tab of Postman, expand the Advanced configuration section, and configure the following settings (see Diagram 6):
  • Type: AWS Signature
  • Add authorization data to: Request Headers
  • Access Key, Secret Key, Session Token: The AWS credentials
  • Region: The region you deployed AVA and AOSS
  • Service Name: aoss
Diagram 6

Configure Request URL and Host header

In the Postman url, use the AVA Endpoint domain name from Step 3 as the host.
In the Headers tab of Postman, uncheck the default Host box. Add a custom Host header with the hostname of the AOSS OpenSearch endpoint from Step 1. This is necessary because AOSS needs the AOSS OpenSearch endpoint host name to resolve the HTTP resource.
In the Diagram 7, I am invoking a GET on the _search resource of AOSS.
Diagram 7
If you do not add the custom Host header, you will get a 404 because AOSS will not be able to resolve the request to the HTTP resource (see Diagram 8).
Diagram 8

Conclusion

In the article, I showed how to access the AOSS VPC endpoint using AVA. I used Postman to invoke the AOSS search API, but following these steps, you can use any API client to invoke the AOSS API through AVA.
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments