Home > Storage > PowerScale (Isilon) > Product Documentation > Cloud > APEX File Storage for AWS: Deployment Guide > Create an interface endpoint
When you add an IP address to a node in the OneFS operating system, the node needs to make an EC2 API call to the AWS EC2 service to associate the IP address with the network interface as a secondary IP address. The following cluster configuration and features will require such an EC2 API call initiated from cluster nodes.
If your VPC has an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection, which allows your cluster nodes to communicate with AWS EC2 service directly, the EC2 API call initiated from cluster nodes works as expected.
However, if you are using a private VPC, which cannot communicate with AWS EC2 service, you need to create an interface endpoint for nodes to connect directly to the AWS EC2 services using private IP addresses, as if the EC2 service is hosted in the cluster VPC. See AWS PrivateLink concepts and Create interface endpoint for more details about AWS VPC Interface endpoints. See the following instructions to use the AWS CLI to create an endpoint for the VPC.
To create an endpoint for the VPC in which a cluster is deployed, run the following command by replacing <aws_vpc_id>, <aws_region>, <external_subnet_id>, and <external_security_group_id> with your own setting. Ensure that you have allowed the ingress HTTPS traffic on TCP port 443 for the interface endpoint in the security group.
aws ec2 create-vpc-endpoint --vpc-endpoint-type Interface --vpc-id <aws_vpc_id> --region <aws_region> --service-name com.amazonaws.<aws_region>.ec2 --subnet-ids <external_subnet_id> --security-group-ids <external_security_group_id>
The following is an example.
> aws ec2 create-vpc-endpoint --vpc-endpoint-type Interface --vpc-id vpc-06639db65d7446720 --region us-east-1 --service-name com.amazonaws.us-east-1.ec2 --subnet-ids subnet-058548a2c6df9591c --security-group-ids sg-07f220483ab7e3bf7