ReplaceGCP_LOCATIONwith the Google Cloud region in
which your GKE on AWS cluster resides. Specifyus-west1or anothersupported region.
VPC Endpoints
VPC endpoints let resources in private subnets access AWS services without
public internet access.
The following table lists the AWS services that GKE on AWS
requires VPC endpoints for, along with the type of endpoint and theSecurity Groupsthat require access
to the endpoint.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["This page lists firewall requirements and VPC endpoint requirements for\nGKE on AWS.\n\nFirewall requirements\n\nTo use GKE on AWS, you must allow your cluster access to the\nfollowing domains. \n\n .gcr.io\n cloudresourcemanager.googleapis.com\n container.googleapis.com\n gkeconnect.googleapis.com\n gkehub.googleapis.com\n oauth2.googleapis.com\n securetoken.googleapis.com\n storage.googleapis.com\n sts.googleapis.com\n www.googleapis.com\n servicecontrol.googleapis.com\n logging.googleapis.com\n monitoring.googleapis.com\n opsconfigmonitoring.googleapis.com\n \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-nf\"\u003eGCP_LOCATION\u003c/span\u003e\u003c/var\u003e-gkemulticloud.googleapis.com\n\nReplace \u003cvar translate=\"no\"\u003eGCP_LOCATION\u003c/var\u003e with the Google Cloud region in\nwhich your GKE on AWS cluster resides. Specify `us-west1` or another\n[supported region](/kubernetes-engine/multi-cloud/docs/aws/reference/supported-regions).\n\nVPC Endpoints\n\nVPC endpoints let resources in private subnets access AWS services without\npublic internet access.\n\nThe following table lists the AWS services that GKE on AWS\nrequires VPC endpoints for, along with the type of endpoint and the\n[Security Groups](/kubernetes-engine/multi-cloud/docs/aws/reference/security-groups) that require access\nto the endpoint.\n\n| Service | Endpoint type | Security groups |\n|----------------------------------------------------------------------------------------------------------------------|---------------|---------------------------|\n| [Auto Scaling](https://docs.aws.amazon.com/autoscaling/plans/userguide/aws-auto-scaling-vpc-endpoints.html) | Interface | Control plane, node pools |\n| [EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html) | Interface | Control plane, node pools |\n| [EFS](https://docs.aws.amazon.com/efs/latest/ug/efs-vpc-endpoints.html) | Interface | Control plane |\n| [Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-vpc-endpoints.html) | Interface | Control plane, node pools |\n| [Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html) | Interface | Control plane, node pools |\n| [S3](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html) | Gateway | Control plane, node pools |\n| [Secrets Manager](https://docs.aws.amazon.com/secretsmanager/index.html) | Interface | Control plane, node pools |\n| [Security Token Service (STS)](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) | Interface | Control plane, node pools |\n\n| **Important:** You must enable [Private DNS](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns) (also called **Enable DNS name** on the AWS console) on interface endpoints.\n\nYou can create endpoints from the AWS\n[VPC Console](https://console.aws.amazon.com/vpc/home). The\noptions you set when creating VPC endpoints depend on your VPC configuration.\n\nWhat's next\n\n- [Use a proxy](/kubernetes-engine/multi-cloud/docs/aws/how-to/use-a-proxy) for your GKE clusters."]]
