aws-cdk-lib 2.189.1__py3-none-any.whl → 2.190.0__py3-none-any.whl

aws_cdk/aws_ec2/__init__.py

@@ -1200,6 +1200,33 @@ my_endpoint.connections.allow_default_port_from_any_ipv4()
 
 Alternatively, existing security groups can be used by specifying the `securityGroups` prop.
 
+#### IPv6 and Dualstack support
+
+As IPv4 addresses are running out, many AWS services are adding support for IPv6 or Dualstack (IPv4 and IPv6 support) for their VPC Endpoints.
+
+IPv6 and Dualstack address types can be configured by using:
+
+```python
+vpc.add_interface_endpoint("ExampleEndpoint",
+    service=ec2.InterfaceVpcEndpointAwsService.ECR,
+    ip_address_type=ec2.VpcEndpointIpAddressType.IPV6,
+    dns_record_ip_type=ec2.VpcEndpointDnsRecordIpType.IPV6
+)
+```
+
+The possible values for `ipAddressType` are:
+
+* `IPV4` This option is supported only if all selected subnets have IPv4 address ranges and the endpoint service accepts IPv4 requests.
+* `IPV6` This option is supported only if all selected subnets are IPv6 only subnets and the endpoint service accepts IPv6 requests.
+* `DUALSTACK` Assign both IPv4 and IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the endpoint service accepts both IPv4 and IPv6 requests.
+  The possible values for `dnsRecordIpType` are:
+* `IPV4` Create A records for the private, Regional, and zonal DNS names. `ipAddressType` MUST be `IPV4` or `DUALSTACK`
+* `IPV6` Create AAAA records for the private, Regional, and zonal DNS names. `ipAddressType` MUST be `IPV6` or `DUALSTACK`
+* `DUALSTACK` Create A and AAAA records for the private, Regional, and zonal DNS names. `ipAddressType` MUST be `DUALSTACK`
+* `SERVICE_DEFINED` Create A records for the private, Regional, and zonal DNS names and AAAA records for the Regional and zonal DNS names. `ipAddressType` MUST be `DUALSTACK`
+  We can only configure dnsRecordIpType when ipAddressType is specified and private DNS must be enabled to use any DNS related features. To avoid complications, it is recommended to always set `privateDnsEnabled` to true (defaults to true) and set the `ipAddressType` and `dnsRecordIpType` explicitly when needing specific IP type behavior. Furthermore, check that the VPC being used supports the IP address type that is being configued.
+  More documentation on compatibility and specifications can be found [here](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#connect-to-endpoint-service)
+
 ### VPC endpoint services
 
 A VPC endpoint service enables you to expose a Network Load Balancer(s) as a provider service to consumers, who connect to your service over a VPC endpoint. You can restrict access to your service via allowed principals (anything that extends ArnPrincipal), and require that new connections be manually accepted. You can also enable Contributor Insight rules.
@@ -16792,7 +16819,7 @@ class CfnGatewayRouteTableAssociationProps:
         )
 
 
-@jsii.implements(_IInspectable_c2943556)
+@jsii.implements(_IInspectable_c2943556, _ITaggableV2_4e6798f8)
 class CfnHost(
     _CfnResource_9df397a6,
     metaclass=jsii.JSIIMeta,
@@ -16822,7 +16849,11 @@ class CfnHost(
             host_recovery="hostRecovery",
             instance_family="instanceFamily",
             instance_type="instanceType",
-            outpost_arn="outpostArn"
+            outpost_arn="outpostArn",
+            tags=[CfnTag(
+                key="key",
+                value="value"
+            )]
         )
     '''
 
@@ -16839,6 +16870,7 @@ class CfnHost(
         instance_family: typing.Optional[builtins.str] = None,
         instance_type: typing.Optional[builtins.str] = None,
         outpost_arn: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
@@ -16851,6 +16883,7 @@ class CfnHost(
         :param instance_family: The instance family supported by the Dedicated Host. For example, ``m5`` .
         :param instance_type: Specifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type, the Dedicated Hosts support instances of the specified instance type only.
         :param outpost_arn: The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated.
+        :param tags: Any tags assigned to the Host.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e3a07acffdb551edbc817b7c424628c812f21356d7f697757a332323f6dcfde8)
@@ -16865,6 +16898,7 @@ class CfnHost(
             instance_family=instance_family,
             instance_type=instance_type,
             outpost_arn=outpost_arn,
+            tags=tags,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -16908,6 +16942,12 @@ class CfnHost(
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrHostId"))
 
+    @builtins.property
+    @jsii.member(jsii_name="cdkTagManager")
+    def cdk_tag_manager(self) -> _TagManager_0a598cb3:
+        '''Tag Manager which manages the tags for this resource.'''
+        return typing.cast(_TagManager_0a598cb3, jsii.get(self, "cdkTagManager"))
+
     @builtins.property
     @jsii.member(jsii_name="cfnProperties")
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
@@ -17017,6 +17057,19 @@ class CfnHost(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "outpostArn", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="tags")
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''Any tags assigned to the Host.'''
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], jsii.get(self, "tags"))
+
+    @tags.setter
+    def tags(self, value: typing.Optional[typing.List[_CfnTag_f6864754]]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__df2f657cc7e13ab207016558c8542895ee96b2df7db851bd2b108210783fccbb)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_ec2.CfnHostProps",
@@ -17030,6 +17083,7 @@ class CfnHost(
         "instance_family": "instanceFamily",
         "instance_type": "instanceType",
         "outpost_arn": "outpostArn",
+        "tags": "tags",
     },
 )
 class CfnHostProps:
@@ -17044,6 +17098,7 @@ class CfnHostProps:
         instance_family: typing.Optional[builtins.str] = None,
         instance_type: typing.Optional[builtins.str] = None,
         outpost_arn: typing.Optional[builtins.str] = None,
+        tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     ) -> None:
         '''Properties for defining a ``CfnHost``.
 
@@ -17055,6 +17110,7 @@ class CfnHostProps:
         :param instance_family: The instance family supported by the Dedicated Host. For example, ``m5`` .
         :param instance_type: Specifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type, the Dedicated Hosts support instances of the specified instance type only.
         :param outpost_arn: The Amazon Resource Name (ARN) of the AWS Outpost on which the Dedicated Host is allocated.
+        :param tags: Any tags assigned to the Host.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-host.html
         :exampleMetadata: fixture=_generated
@@ -17075,7 +17131,11 @@ class CfnHostProps:
                 host_recovery="hostRecovery",
                 instance_family="instanceFamily",
                 instance_type="instanceType",
-                outpost_arn="outpostArn"
+                outpost_arn="outpostArn",
+                tags=[CfnTag(
+                    key="key",
+                    value="value"
+                )]
             )
         '''
         if __debug__:
@@ -17088,6 +17148,7 @@ class CfnHostProps:
             check_type(argname="argument instance_family", value=instance_family, expected_type=type_hints["instance_family"])
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
             check_type(argname="argument outpost_arn", value=outpost_arn, expected_type=type_hints["outpost_arn"])
+            check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "availability_zone": availability_zone,
         }
@@ -17105,6 +17166,8 @@ class CfnHostProps:
             self._values["instance_type"] = instance_type
         if outpost_arn is not None:
             self._values["outpost_arn"] = outpost_arn
+        if tags is not None:
+            self._values["tags"] = tags
 
     @builtins.property
     def availability_zone(self) -> builtins.str:
@@ -17191,6 +17254,15 @@ class CfnHostProps:
         result = self._values.get("outpost_arn")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def tags(self) -> typing.Optional[typing.List[_CfnTag_f6864754]]:
+        '''Any tags assigned to the Host.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-host.html#cfn-ec2-host-tags
+        '''
+        result = self._values.get("tags")
+        return typing.cast(typing.Optional[typing.List[_CfnTag_f6864754]], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -43791,7 +43863,7 @@ class CfnSecurityGroup(
 
     You must specify ingress rules to allow inbound traffic. By default, no inbound traffic is allowed.
 
-    If you do not specify an egress rule, we add egress rules that allow outbound IPv4 and IPv6 traffic on all ports and protocols to any destination. We do not add these rules if you specify your own egress rules.
+    When you create a security group, if you do not add egress rules, we add egress rules that allow all outbound IPv4 and IPv6 traffic. Otherwise, we do not add them. After the security group is created, if you remove all egress rules that you added, we do not add egress rules, so no outbound traffic is allowed.
 
     If you modify a rule, CloudFormation removes the existing rule and then adds a new rule. There is a brief period when neither the original rule or the new rule exists, so the corresponding traffic is dropped.
 
@@ -60599,6 +60671,7 @@ class CfnVPCEndpoint(
             security_group_ids=["securityGroupIds"],
             service_name="serviceName",
             service_network_arn="serviceNetworkArn",
+            service_region="serviceRegion",
             subnet_ids=["subnetIds"],
             tags=[CfnTag(
                 key="key",
@@ -60623,6 +60696,7 @@ class CfnVPCEndpoint(
         security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
         service_name: typing.Optional[builtins.str] = None,
         service_network_arn: typing.Optional[builtins.str] = None,
+        service_region: typing.Optional[builtins.str] = None,
         subnet_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_endpoint_type: typing.Optional[builtins.str] = None,
@@ -60640,6 +60714,7 @@ class CfnVPCEndpoint(
         :param security_group_ids: The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints.
         :param service_name: The name of the endpoint service.
         :param service_network_arn: The Amazon Resource Name (ARN) of the service network.
+        :param service_region: Describes a Region.
         :param subnet_ids: The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.
         :param tags: The tags to associate with the endpoint.
         :param vpc_endpoint_type: The type of endpoint. Default: Gateway
@@ -60659,6 +60734,7 @@ class CfnVPCEndpoint(
             security_group_ids=security_group_ids,
             service_name=service_name,
             service_network_arn=service_network_arn,
+            service_region=service_region,
             subnet_ids=subnet_ids,
             tags=tags,
             vpc_endpoint_type=vpc_endpoint_type,
@@ -60901,6 +60977,19 @@ class CfnVPCEndpoint(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "serviceNetworkArn", value) # pyright: ignore[reportArgumentType]
 
+    @builtins.property
+    @jsii.member(jsii_name="serviceRegion")
+    def service_region(self) -> typing.Optional[builtins.str]:
+        '''Describes a Region.'''
+        return typing.cast(typing.Optional[builtins.str], jsii.get(self, "serviceRegion"))
+
+    @service_region.setter
+    def service_region(self, value: typing.Optional[builtins.str]) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d6d3cd08ec1fd31ad1338faa2ac68fd15809dab9a7d259f896ee13feffaad8cb)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "serviceRegion", value) # pyright: ignore[reportArgumentType]
+
     @builtins.property
     @jsii.member(jsii_name="subnetIds")
     def subnet_ids(self) -> typing.Optional[typing.List[builtins.str]]:
@@ -61303,6 +61392,7 @@ class CfnVPCEndpointConnectionNotificationProps:
         "security_group_ids": "securityGroupIds",
         "service_name": "serviceName",
         "service_network_arn": "serviceNetworkArn",
+        "service_region": "serviceRegion",
         "subnet_ids": "subnetIds",
         "tags": "tags",
         "vpc_endpoint_type": "vpcEndpointType",
@@ -61322,6 +61412,7 @@ class CfnVPCEndpointProps:
         security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
         service_name: typing.Optional[builtins.str] = None,
         service_network_arn: typing.Optional[builtins.str] = None,
+        service_region: typing.Optional[builtins.str] = None,
         subnet_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
         tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
         vpc_endpoint_type: typing.Optional[builtins.str] = None,
@@ -61338,6 +61429,7 @@ class CfnVPCEndpointProps:
         :param security_group_ids: The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC. Security groups are supported only for interface endpoints.
         :param service_name: The name of the endpoint service.
         :param service_network_arn: The Amazon Resource Name (ARN) of the service network.
+        :param service_region: Describes a Region.
         :param subnet_ids: The IDs of the subnets in which to create endpoint network interfaces. You must specify this property for an interface endpoint or a Gateway Load Balancer endpoint. You can't specify this property for a gateway endpoint. For a Gateway Load Balancer endpoint, you can specify only one subnet.
         :param tags: The tags to associate with the endpoint.
         :param vpc_endpoint_type: The type of endpoint. Default: Gateway
@@ -61369,6 +61461,7 @@ class CfnVPCEndpointProps:
                 security_group_ids=["securityGroupIds"],
                 service_name="serviceName",
                 service_network_arn="serviceNetworkArn",
+                service_region="serviceRegion",
                 subnet_ids=["subnetIds"],
                 tags=[CfnTag(
                     key="key",
@@ -61389,6 +61482,7 @@ class CfnVPCEndpointProps:
             check_type(argname="argument security_group_ids", value=security_group_ids, expected_type=type_hints["security_group_ids"])
             check_type(argname="argument service_name", value=service_name, expected_type=type_hints["service_name"])
             check_type(argname="argument service_network_arn", value=service_network_arn, expected_type=type_hints["service_network_arn"])
+            check_type(argname="argument service_region", value=service_region, expected_type=type_hints["service_region"])
             check_type(argname="argument subnet_ids", value=subnet_ids, expected_type=type_hints["subnet_ids"])
             check_type(argname="argument tags", value=tags, expected_type=type_hints["tags"])
             check_type(argname="argument vpc_endpoint_type", value=vpc_endpoint_type, expected_type=type_hints["vpc_endpoint_type"])
@@ -61413,6 +61507,8 @@ class CfnVPCEndpointProps:
             self._values["service_name"] = service_name
         if service_network_arn is not None:
             self._values["service_network_arn"] = service_network_arn
+        if service_region is not None:
+            self._values["service_region"] = service_region
         if subnet_ids is not None:
             self._values["subnet_ids"] = subnet_ids
         if tags is not None:
@@ -61533,6 +61629,15 @@ class CfnVPCEndpointProps:
         result = self._values.get("service_network_arn")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def service_region(self) -> typing.Optional[builtins.str]:
+        '''Describes a Region.
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2-vpcendpoint-serviceregion
+        '''
+        result = self._values.get("service_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def subnet_ids(self) -> typing.Optional[typing.List[builtins.str]]:
         '''The IDs of the subnets in which to create endpoint network interfaces.
@@ -75930,9 +76035,12 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
         id: builtins.str,
         *,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional["VpcEndpointDnsRecordIpType"] = None,
+        ip_address_type: typing.Optional["VpcEndpointIpAddressType"] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union["SubnetSelection", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> "InterfaceVpcEndpoint":
@@ -75940,9 +76048,12 @@ class IVpc(_IResource_c80c4260, typing_extensions.Protocol):
 
         :param id: -
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
         '''
@@ -76210,9 +76321,12 @@ class _IVpcProxy(
         id: builtins.str,
         *,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional["VpcEndpointDnsRecordIpType"] = None,
+        ip_address_type: typing.Optional["VpcEndpointIpAddressType"] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union["SubnetSelection", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> "InterfaceVpcEndpoint":
@@ -76220,9 +76334,12 @@ class _IVpcProxy(
 
         :param id: -
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
         '''
@@ -76231,9 +76348,12 @@ class _IVpcProxy(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = InterfaceVpcEndpointOptions(
             service=service,
+            dns_record_ip_type=dns_record_ip_type,
+            ip_address_type=ip_address_type,
             lookup_supported_azs=lookup_supported_azs,
             open=open,
             private_dns_enabled=private_dns_enabled,
+            private_dns_only_for_inbound_resolver_endpoint=private_dns_only_for_inbound_resolver_endpoint,
             security_groups=security_groups,
             subnets=subnets,
         )
@@ -80957,35 +81077,14 @@ class InterfaceVpcEndpointAwsService(
 ):
     '''An AWS service for an interface VPC endpoint.
 
-    :exampleMetadata: infused
+    :exampleMetadata: fixture=with-vpc infused
 
     Example::
 
-        import aws_cdk.aws_ec2 as ec2
-        
-        # vpc: ec2.Vpc
-        
-        
-        interface_vpc_endpoint = ec2.InterfaceVpcEndpoint(self, "MyVpcEndpoint",
-            vpc=vpc,
-            service=ec2.InterfaceVpcEndpointAwsService.APP_RUNNER_REQUESTS,
-            private_dns_enabled=False
-        )
-        
-        service = apprunner.Service(self, "Service",
-            source=apprunner.Source.from_ecr_public(
-                image_configuration=apprunner.ImageConfiguration(
-                    port=8000
-                ),
-                image_identifier="public.ecr.aws/aws-containers/hello-app-runner:latest"
-            ),
-            is_publicly_accessible=False
-        )
-        
-        apprunner.VpcIngressConnection(self, "VpcIngressConnection",
-            vpc=vpc,
-            interface_vpc_endpoint=interface_vpc_endpoint,
-            service=service
+        vpc.add_interface_endpoint("ExampleEndpoint",
+            service=ec2.InterfaceVpcEndpointAwsService.ECR,
+            ip_address_type=ec2.VpcEndpointIpAddressType.IPV6,
+            dns_record_ip_type=ec2.VpcEndpointDnsRecordIpType.IPV6
         )
     '''
 
@@ -83015,9 +83114,12 @@ class InterfaceVpcEndpointAwsServiceProps:
     jsii_struct_bases=[],
     name_mapping={
         "service": "service",
+        "dns_record_ip_type": "dnsRecordIpType",
+        "ip_address_type": "ipAddressType",
         "lookup_supported_azs": "lookupSupportedAzs",
         "open": "open",
         "private_dns_enabled": "privateDnsEnabled",
+        "private_dns_only_for_inbound_resolver_endpoint": "privateDnsOnlyForInboundResolverEndpoint",
         "security_groups": "securityGroups",
         "subnets": "subnets",
     },
@@ -83027,18 +83129,24 @@ class InterfaceVpcEndpointOptions:
         self,
         *,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional["VpcEndpointDnsRecordIpType"] = None,
+        ip_address_type: typing.Optional["VpcEndpointIpAddressType"] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union["SubnetSelection", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''Options to add an interface endpoint to a VPC.
 
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
 
@@ -83077,20 +83185,29 @@ class InterfaceVpcEndpointOptions:
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1a6dd0208e338cbe286ecaa3bcf5f95a5f0a0c1e1b3565ca6de058b5fbe2bbdf)
             check_type(argname="argument service", value=service, expected_type=type_hints["service"])
+            check_type(argname="argument dns_record_ip_type", value=dns_record_ip_type, expected_type=type_hints["dns_record_ip_type"])
+            check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
             check_type(argname="argument lookup_supported_azs", value=lookup_supported_azs, expected_type=type_hints["lookup_supported_azs"])
             check_type(argname="argument open", value=open, expected_type=type_hints["open"])
             check_type(argname="argument private_dns_enabled", value=private_dns_enabled, expected_type=type_hints["private_dns_enabled"])
+            check_type(argname="argument private_dns_only_for_inbound_resolver_endpoint", value=private_dns_only_for_inbound_resolver_endpoint, expected_type=type_hints["private_dns_only_for_inbound_resolver_endpoint"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument subnets", value=subnets, expected_type=type_hints["subnets"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
             "service": service,
         }
+        if dns_record_ip_type is not None:
+            self._values["dns_record_ip_type"] = dns_record_ip_type
+        if ip_address_type is not None:
+            self._values["ip_address_type"] = ip_address_type
         if lookup_supported_azs is not None:
             self._values["lookup_supported_azs"] = lookup_supported_azs
         if open is not None:
             self._values["open"] = open
         if private_dns_enabled is not None:
             self._values["private_dns_enabled"] = private_dns_enabled
+        if private_dns_only_for_inbound_resolver_endpoint is not None:
+            self._values["private_dns_only_for_inbound_resolver_endpoint"] = private_dns_only_for_inbound_resolver_endpoint
         if security_groups is not None:
             self._values["security_groups"] = security_groups
         if subnets is not None:
@@ -83103,6 +83220,24 @@ class InterfaceVpcEndpointOptions:
         assert result is not None, "Required property 'service' is missing"
         return typing.cast(IInterfaceVpcEndpointService, result)
 
+    @builtins.property
+    def dns_record_ip_type(self) -> typing.Optional["VpcEndpointDnsRecordIpType"]:
+        '''Type of DNS records created for the VPC endpoint.
+
+        :default: not specified
+        '''
+        result = self._values.get("dns_record_ip_type")
+        return typing.cast(typing.Optional["VpcEndpointDnsRecordIpType"], result)
+
+    @builtins.property
+    def ip_address_type(self) -> typing.Optional["VpcEndpointIpAddressType"]:
+        '''The IP address type for the endpoint.
+
+        :default: not specified
+        '''
+        result = self._values.get("ip_address_type")
+        return typing.cast(typing.Optional["VpcEndpointIpAddressType"], result)
+
     @builtins.property
     def lookup_supported_azs(self) -> typing.Optional[builtins.bool]:
         '''Limit to only those availability zones where the endpoint service can be created.
@@ -83142,6 +83277,17 @@ class InterfaceVpcEndpointOptions:
         result = self._values.get("private_dns_enabled")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def private_dns_only_for_inbound_resolver_endpoint(
+        self,
+    ) -> typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"]:
+        '''Whether to enable private DNS only for inbound endpoints.
+
+        :default: not specified
+        '''
+        result = self._values.get("private_dns_only_for_inbound_resolver_endpoint")
+        return typing.cast(typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"], result)
+
     @builtins.property
     def security_groups(self) -> typing.Optional[typing.List[ISecurityGroup]]:
         '''The security groups to associate with this interface VPC endpoint.
@@ -83180,9 +83326,12 @@ class InterfaceVpcEndpointOptions:
     jsii_struct_bases=[InterfaceVpcEndpointOptions],
     name_mapping={
         "service": "service",
+        "dns_record_ip_type": "dnsRecordIpType",
+        "ip_address_type": "ipAddressType",
         "lookup_supported_azs": "lookupSupportedAzs",
         "open": "open",
         "private_dns_enabled": "privateDnsEnabled",
+        "private_dns_only_for_inbound_resolver_endpoint": "privateDnsOnlyForInboundResolverEndpoint",
         "security_groups": "securityGroups",
         "subnets": "subnets",
         "vpc": "vpc",
@@ -83193,9 +83342,12 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
         self,
         *,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional["VpcEndpointDnsRecordIpType"] = None,
+        ip_address_type: typing.Optional["VpcEndpointIpAddressType"] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union["SubnetSelection", typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: IVpc,
@@ -83203,9 +83355,12 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
         '''Construction properties for an InterfaceVpcEndpoint.
 
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
         :param vpc: The VPC network in which the interface endpoint will be used.
@@ -83231,9 +83386,12 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6606ba3de030c44ce43dee44afe64adc59231bfc542799d1354e0732a309b2f0)
             check_type(argname="argument service", value=service, expected_type=type_hints["service"])
+            check_type(argname="argument dns_record_ip_type", value=dns_record_ip_type, expected_type=type_hints["dns_record_ip_type"])
+            check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
             check_type(argname="argument lookup_supported_azs", value=lookup_supported_azs, expected_type=type_hints["lookup_supported_azs"])
             check_type(argname="argument open", value=open, expected_type=type_hints["open"])
             check_type(argname="argument private_dns_enabled", value=private_dns_enabled, expected_type=type_hints["private_dns_enabled"])
+            check_type(argname="argument private_dns_only_for_inbound_resolver_endpoint", value=private_dns_only_for_inbound_resolver_endpoint, expected_type=type_hints["private_dns_only_for_inbound_resolver_endpoint"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument subnets", value=subnets, expected_type=type_hints["subnets"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
@@ -83241,12 +83399,18 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
             "service": service,
             "vpc": vpc,
         }
+        if dns_record_ip_type is not None:
+            self._values["dns_record_ip_type"] = dns_record_ip_type
+        if ip_address_type is not None:
+            self._values["ip_address_type"] = ip_address_type
         if lookup_supported_azs is not None:
             self._values["lookup_supported_azs"] = lookup_supported_azs
         if open is not None:
             self._values["open"] = open
         if private_dns_enabled is not None:
             self._values["private_dns_enabled"] = private_dns_enabled
+        if private_dns_only_for_inbound_resolver_endpoint is not None:
+            self._values["private_dns_only_for_inbound_resolver_endpoint"] = private_dns_only_for_inbound_resolver_endpoint
         if security_groups is not None:
             self._values["security_groups"] = security_groups
         if subnets is not None:
@@ -83259,6 +83423,24 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
         assert result is not None, "Required property 'service' is missing"
         return typing.cast(IInterfaceVpcEndpointService, result)
 
+    @builtins.property
+    def dns_record_ip_type(self) -> typing.Optional["VpcEndpointDnsRecordIpType"]:
+        '''Type of DNS records created for the VPC endpoint.
+
+        :default: not specified
+        '''
+        result = self._values.get("dns_record_ip_type")
+        return typing.cast(typing.Optional["VpcEndpointDnsRecordIpType"], result)
+
+    @builtins.property
+    def ip_address_type(self) -> typing.Optional["VpcEndpointIpAddressType"]:
+        '''The IP address type for the endpoint.
+
+        :default: not specified
+        '''
+        result = self._values.get("ip_address_type")
+        return typing.cast(typing.Optional["VpcEndpointIpAddressType"], result)
+
     @builtins.property
     def lookup_supported_azs(self) -> typing.Optional[builtins.bool]:
         '''Limit to only those availability zones where the endpoint service can be created.
@@ -83298,6 +83480,17 @@ class InterfaceVpcEndpointProps(InterfaceVpcEndpointOptions):
         result = self._values.get("private_dns_enabled")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def private_dns_only_for_inbound_resolver_endpoint(
+        self,
+    ) -> typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"]:
+        '''Whether to enable private DNS only for inbound endpoints.
+
+        :default: not specified
+        '''
+        result = self._values.get("private_dns_only_for_inbound_resolver_endpoint")
+        return typing.cast(typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"], result)
+
     @builtins.property
     def security_groups(self) -> typing.Optional[typing.List[ISecurityGroup]]:
         '''The security groups to associate with this interface VPC endpoint.
@@ -93628,9 +93821,12 @@ class Vpc(
         id: builtins.str,
         *,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional["VpcEndpointDnsRecordIpType"] = None,
+        ip_address_type: typing.Optional["VpcEndpointIpAddressType"] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional["VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> "InterfaceVpcEndpoint":
@@ -93638,9 +93834,12 @@ class Vpc(
 
         :param id: -
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
         '''
@@ -93649,9 +93848,12 @@ class Vpc(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         options = InterfaceVpcEndpointOptions(
             service=service,
+            dns_record_ip_type=dns_record_ip_type,
+            ip_address_type=ip_address_type,
             lookup_supported_azs=lookup_supported_azs,
             open=open,
             private_dns_enabled=private_dns_enabled,
+            private_dns_only_for_inbound_resolver_endpoint=private_dns_only_for_inbound_resolver_endpoint,
             security_groups=security_groups,
             subnets=subnets,
         )
@@ -94346,6 +94548,95 @@ class _VpcEndpointProxy(
 typing.cast(typing.Any, VpcEndpoint).__jsii_proxy_class__ = lambda : _VpcEndpointProxy
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.VpcEndpointDnsRecordIpType")
+class VpcEndpointDnsRecordIpType(enum.Enum):
+    '''Enums for all Dns Record IP Address types.
+
+    :exampleMetadata: fixture=with-vpc infused
+
+    Example::
+
+        vpc.add_interface_endpoint("ExampleEndpoint",
+            service=ec2.InterfaceVpcEndpointAwsService.ECR,
+            ip_address_type=ec2.VpcEndpointIpAddressType.IPV6,
+            dns_record_ip_type=ec2.VpcEndpointDnsRecordIpType.IPV6
+        )
+    '''
+
+    IPV4 = "IPV4"
+    '''Create A records for the private, Regional, and zonal DNS names.
+
+    The IP address type must be IPv4 or Dualstack.
+    '''
+    IPV6 = "IPV6"
+    '''Create AAAA records for the private, Regional, and zonal DNS names.
+
+    The IP address type must be IPv6 or Dualstack.
+    '''
+    DUALSTACK = "DUALSTACK"
+    '''Create A and AAAA records for the private, Regional, and zonal DNS names.
+
+    The IP address type must be Dualstack.
+    '''
+    SERVICE_DEFINED = "SERVICE_DEFINED"
+    '''Create A records for the private, Regional, and zonal DNS names and AAAA records for the Regional and zonal DNS names.
+
+    The IP address type must be Dualstack.
+    '''
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_ec2.VpcEndpointIpAddressType")
+class VpcEndpointIpAddressType(enum.Enum):
+    '''IP address type for the endpoint.
+
+    :exampleMetadata: fixture=with-vpc infused
+
+    Example::
+
+        vpc.add_interface_endpoint("ExampleEndpoint",
+            service=ec2.InterfaceVpcEndpointAwsService.ECR,
+            ip_address_type=ec2.VpcEndpointIpAddressType.IPV6,
+            dns_record_ip_type=ec2.VpcEndpointDnsRecordIpType.IPV6
+        )
+    '''
+
+    IPV4 = "IPV4"
+    '''Assign IPv4 addresses to the endpoint network interfaces.
+
+    This option is supported only if all selected subnets have IPv4 address ranges
+    and the endpoint service accepts IPv4 requests.
+    '''
+    IPV6 = "IPV6"
+    '''Assign IPv6 addresses to the endpoint network interfaces.
+
+    This option is supported only if all selected subnets are IPv6 only subnets
+    and the endpoint service accepts IPv6 requests.
+    '''
+    DUALSTACK = "DUALSTACK"
+    '''Assign both IPv4 and IPv6 addresses to the endpoint network interfaces.
+
+    This option is supported only if all selected subnets have both IPv4 and IPv6
+    address ranges and the endpoint service accepts both IPv4 and IPv6 requests.
+    '''
+
+
+@jsii.enum(
+    jsii_type="aws-cdk-lib.aws_ec2.VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint"
+)
+class VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint(enum.Enum):
+    '''Indicates whether to enable private DNS only for inbound endpoints.
+
+    This option is available only for services that support both gateway and interface endpoints.
+    It routes traffic that originates from the VPC to the gateway endpoint and traffic that
+    originates from on-premises to the interface endpoint.
+    '''
+
+    ALL_RESOLVERS = "ALL_RESOLVERS"
+    '''Enable private DNS for all resolvers.'''
+    ONLY_INBOUND_RESOLVER = "ONLY_INBOUND_RESOLVER"
+    '''Enable private DNS only for inbound endpoints.'''
+
+
 @jsii.implements(IVpcEndpointService)
 class VpcEndpointService(
     _Resource_45bc6135,
@@ -99664,9 +99955,12 @@ class InterfaceVpcEndpoint(
         *,
         vpc: IVpc,
         service: IInterfaceVpcEndpointService,
+        dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+        ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
         lookup_supported_azs: typing.Optional[builtins.bool] = None,
         open: typing.Optional[builtins.bool] = None,
         private_dns_enabled: typing.Optional[builtins.bool] = None,
+        private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
         security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
         subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -99675,9 +99969,12 @@ class InterfaceVpcEndpoint(
         :param id: -
         :param vpc: The VPC network in which the interface endpoint will be used.
         :param service: The service to use for this interface VPC endpoint.
+        :param dns_record_ip_type: Type of DNS records created for the VPC endpoint. Default: not specified
+        :param ip_address_type: The IP address type for the endpoint. Default: not specified
         :param lookup_supported_azs: Limit to only those availability zones where the endpoint service can be created. Setting this to 'true' requires a lookup to be performed at synthesis time. Account and region must be set on the containing stack for this to work. Default: false
         :param open: Whether to automatically allow VPC traffic to the endpoint. If enabled, all traffic to the endpoint from within the VPC will be automatically allowed. This is done based on the VPC's CIDR range. Default: true
         :param private_dns_enabled: Whether to associate a private hosted zone with the specified VPC. This allows you to make requests to the service using its default DNS hostname. Default: set by the instance of IInterfaceVpcEndpointService, or true if not defined by the instance of IInterfaceVpcEndpointService
+        :param private_dns_only_for_inbound_resolver_endpoint: Whether to enable private DNS only for inbound endpoints. Default: not specified
         :param security_groups: The security groups to associate with this interface VPC endpoint. Default: - a new security group is created
         :param subnets: The subnets in which to create an endpoint network interface. At most one per availability zone. Default: - private subnets
         '''
@@ -99688,9 +99985,12 @@ class InterfaceVpcEndpoint(
         props = InterfaceVpcEndpointProps(
             vpc=vpc,
             service=service,
+            dns_record_ip_type=dns_record_ip_type,
+            ip_address_type=ip_address_type,
             lookup_supported_azs=lookup_supported_azs,
             open=open,
             private_dns_enabled=private_dns_enabled,
+            private_dns_only_for_inbound_resolver_endpoint=private_dns_only_for_inbound_resolver_endpoint,
             security_groups=security_groups,
             subnets=subnets,
         )
@@ -102537,6 +102837,9 @@ __all__ = [
     "Vpc",
     "VpcAttributes",
     "VpcEndpoint",
+    "VpcEndpointDnsRecordIpType",
+    "VpcEndpointIpAddressType",
+    "VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint",
     "VpcEndpointService",
     "VpcEndpointServiceProps",
     "VpcEndpointType",
@@ -104500,6 +104803,7 @@ def _typecheckingstub__e3a07acffdb551edbc817b7c424628c812f21356d7f697757a332323f
     instance_family: typing.Optional[builtins.str] = None,
     instance_type: typing.Optional[builtins.str] = None,
     outpost_arn: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -104564,6 +104868,12 @@ def _typecheckingstub__1e93e24d3ea88403b39f7d948c7495b074446c1b676d25cd60fc9a3a5
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__df2f657cc7e13ab207016558c8542895ee96b2df7db851bd2b108210783fccbb(
+    value: typing.Optional[typing.List[_CfnTag_f6864754]],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__6b2753a5bf48a7bda574bdc6bf8ca7f9c31c7e48329df5f793f75cfb822ea308(
     *,
     availability_zone: builtins.str,
@@ -104574,6 +104884,7 @@ def _typecheckingstub__6b2753a5bf48a7bda574bdc6bf8ca7f9c31c7e48329df5f793f75cfb8
     instance_family: typing.Optional[builtins.str] = None,
     instance_type: typing.Optional[builtins.str] = None,
     outpost_arn: typing.Optional[builtins.str] = None,
+    tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -110810,6 +111121,7 @@ def _typecheckingstub__a16478d34754d994e7b5d75d1e427abd720d7df3e6b3c870e3e83c927
     security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
     service_name: typing.Optional[builtins.str] = None,
     service_network_arn: typing.Optional[builtins.str] = None,
+    service_region: typing.Optional[builtins.str] = None,
     subnet_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     vpc_endpoint_type: typing.Optional[builtins.str] = None,
@@ -110889,6 +111201,12 @@ def _typecheckingstub__93ce6066a05ef231155e5be0db9255aa620b43b7f15caa8dbed327524
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d6d3cd08ec1fd31ad1338faa2ac68fd15809dab9a7d259f896ee13feffaad8cb(
+    value: typing.Optional[builtins.str],
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b83f77b13bf225d451aa245360aebfaece0685d635a9b435d657b957d2d8bdc0(
     value: typing.Optional[typing.List[builtins.str]],
 ) -> None:
@@ -110985,6 +111303,7 @@ def _typecheckingstub__34ba69df521981275d9321266877bb15ffeaff485197a94710ae57c73
     security_group_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
     service_name: typing.Optional[builtins.str] = None,
     service_network_arn: typing.Optional[builtins.str] = None,
+    service_region: typing.Optional[builtins.str] = None,
     subnet_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
     tags: typing.Optional[typing.Sequence[typing.Union[_CfnTag_f6864754, typing.Dict[builtins.str, typing.Any]]]] = None,
     vpc_endpoint_type: typing.Optional[builtins.str] = None,
@@ -112925,9 +113244,12 @@ def _typecheckingstub__a8399f0a6a7650e1c02d00770e21cad422b9760a1fdc24465cf546371
     id: builtins.str,
     *,
     service: IInterfaceVpcEndpointService,
+    dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+    ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
     lookup_supported_azs: typing.Optional[builtins.bool] = None,
     open: typing.Optional[builtins.bool] = None,
     private_dns_enabled: typing.Optional[builtins.bool] = None,
+    private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
     security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
     subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -113535,9 +113857,12 @@ def _typecheckingstub__839b4527cdef7433e0b16b2f194a2476ac2b4de98682b8a6392a8493d
 def _typecheckingstub__1a6dd0208e338cbe286ecaa3bcf5f95a5f0a0c1e1b3565ca6de058b5fbe2bbdf(
     *,
     service: IInterfaceVpcEndpointService,
+    dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+    ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
     lookup_supported_azs: typing.Optional[builtins.bool] = None,
     open: typing.Optional[builtins.bool] = None,
     private_dns_enabled: typing.Optional[builtins.bool] = None,
+    private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
     security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
     subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -113547,9 +113872,12 @@ def _typecheckingstub__1a6dd0208e338cbe286ecaa3bcf5f95a5f0a0c1e1b3565ca6de058b5f
 def _typecheckingstub__6606ba3de030c44ce43dee44afe64adc59231bfc542799d1354e0732a309b2f0(
     *,
     service: IInterfaceVpcEndpointService,
+    dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+    ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
     lookup_supported_azs: typing.Optional[builtins.bool] = None,
     open: typing.Optional[builtins.bool] = None,
     private_dns_enabled: typing.Optional[builtins.bool] = None,
+    private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
     security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
     subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: IVpc,
@@ -114792,9 +115120,12 @@ def _typecheckingstub__00d64fd969958beb796ccf5d1bc5d808fd3e751c9e3c2237abfaf2dbe
     id: builtins.str,
     *,
     service: IInterfaceVpcEndpointService,
+    dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+    ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
     lookup_supported_azs: typing.Optional[builtins.bool] = None,
     open: typing.Optional[builtins.bool] = None,
     private_dns_enabled: typing.Optional[builtins.bool] = None,
+    private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
     security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
     subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -115374,9 +115705,12 @@ def _typecheckingstub__a11756d82f1033710d89b4b10b111462f7a99734ff79d3648bd84d0e5
     *,
     vpc: IVpc,
     service: IInterfaceVpcEndpointService,
+    dns_record_ip_type: typing.Optional[VpcEndpointDnsRecordIpType] = None,
+    ip_address_type: typing.Optional[VpcEndpointIpAddressType] = None,
     lookup_supported_azs: typing.Optional[builtins.bool] = None,
     open: typing.Optional[builtins.bool] = None,
     private_dns_enabled: typing.Optional[builtins.bool] = None,
+    private_dns_only_for_inbound_resolver_endpoint: typing.Optional[VpcEndpointPrivateDnsOnlyForInboundResolverEndpoint] = None,
     security_groups: typing.Optional[typing.Sequence[ISecurityGroup]] = None,
     subnets: typing.Optional[typing.Union[SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None: