update

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-ip-address-type.ts

@@ -13,14 +13,14 @@ vpc.addInterfaceEndpoint('IPv4', {
   privateDnsEnabled: false,
   service: ec2.InterfaceVpcEndpointAwsService.BEDROCK,
   subnets: { subnetType: ec2.SubnetType.PUBLIC },
-  ipAddressType:ec2.IpAddressType.IPV4,
+  ipAddressType: ec2.IpAddressType.IPV4,
 });
 
 vpc.addInterfaceEndpoint('IPv6', {
   privateDnsEnabled: false,
   service: ec2.InterfaceVpcEndpointAwsService.S3_TABLES,
   subnets: { subnetType: ec2.SubnetType.PUBLIC },
-  ipAddressType:ec2.IpAddressType.IPV6,
+  ipAddressType: ec2.IpAddressType.IPV6,
 });
 
 new IntegTest(app, 'VpcEndpointIpAddressTypeTest', {

packages/aws-cdk-lib/aws-ec2/README.md

@@ -1078,6 +1078,18 @@ new ec2.InterfaceVpcEndpoint(this, 'VPC Endpoint', {
 });
 ```
 
+You can choose ip address type by setting `ipAddressType` property:
+
+```ts
+declare const vpc: ec2.Vpc;
+
+new ec2.InterfaceVpcEndpoint(this, 'VPC Endpoint', {
+  vpc,
+  service: ec2.InterfaceVpcEndpointAwsService.EC2,
+  ipAddressType: ec2.IpAddressType.IPV6,  // ip address type
+});
+```
+
 #### Security groups for interface VPC endpoints
 
 By default, interface VPC endpoints create a new security group and all traffic to the endpoint from within the VPC will be automatically allowed.

packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

@@ -780,32 +780,37 @@ export interface InterfaceVpcEndpointOptions {
    *
    * @default IpAddressType.IPV4
    */
-  readonly ipAddressType?: IpAddressType
+  readonly ipAddressType?: IpAddressType;
 }
 
 /**
  * The supported IP address types.
+ *
+ * @see https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws
  */
 export enum IpAddressType {
   /**
-   * Use only IPv4 addresses
+   * Assign IPv4 addresses to the endpoint network interfaces.
+   * This option is supported only if all selected subnets have IPv4 address ranges and the service accepts IPv4 requests.
    */
   IPV4 = 'ipv4',
 
   /**
-   * Use only IPv6 addresses
+   * Assign IPv6 addresses to the endpoint network interfaces.
+   * This option is supported only if all selected subnets are IPv6 only subnets and the service accepts IPv6 requests.
    */
   IPV6 = 'ipv6',
 
   /**
-   * Use IPv4 and IPv6 addresses
+   * Assign both IPv4 and IPv6 addresses to the endpoint network interfaces.
+   * This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the service accepts both IPv4 and IPv6 requests.
    */
   DUAL_STACK = 'dualstack',
 
   /**
    * not specified
    */
-  NOT_SPECIFIED = 'not-specified'
+  NOT_SPECIFIED = 'not-specified',
 }
 
 /**
@@ -910,7 +915,9 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn
     });
 
     if (props.open !== false) {
-      this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock));
+      if (props.ipAddressType === undefined || [IpAddressType.IPV4, IpAddressType.DUAL_STACK].includes(props.ipAddressType)) {
+        this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock));
+      }
     }
 
     // Determine which subnets to place the endpoint in

packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts

@@ -4,6 +4,7 @@ import * as cxschema from '../../cloud-assembly-schema';
 import { ContextProvider, Fn, Stack } from '../../core';
 // eslint-disable-next-line max-len
 import { GatewayVpcEndpoint, GatewayVpcEndpointAwsService, InterfaceVpcEndpoint, InterfaceVpcEndpointAwsService, InterfaceVpcEndpointService, SecurityGroup, SubnetFilter, SubnetType, Vpc } from '../lib';
+import { IpAddressType } from '../lib/vpc-endpoint';
 
 describe('vpc endpoint', () => {
   describe('gateway endpoint', () => {
@@ -954,5 +955,61 @@ describe('vpc endpoint', () => {
         VpcEndpointType: 'Interface',
       });
     });
+
+    test.each([
+      IpAddressType.IPV4,
+      IpAddressType.IPV6,
+      IpAddressType.DUAL_STACK,
+      IpAddressType.NOT_SPECIFIED,
+    ])('test vpc interface endpoint when ip address type is %s.', (ipAddressType) => {
+      //GIVEN
+      const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } });
+      const vpc = new Vpc(stack, 'VPC');
+
+      //WHEN
+      vpc.addInterfaceEndpoint('EC2 Endpoint', {
+        service: InterfaceVpcEndpointAwsService.EC2,
+        privateDnsEnabled: false,
+        ipAddressType,
+      });
+
+      //THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
+        ServiceName: 'com.amazonaws.us-west-2.ec2',
+        VpcId: stack.resolve(vpc.vpcId),
+        PrivateDnsEnabled: false,
+        VpcEndpointType: 'Interface',
+        IpAddressType: ipAddressType,
+      });
+    });
+
+    test.each([
+      IpAddressType.IPV4,
+      IpAddressType.DUAL_STACK,
+    ])('test security group with vpc interface endpoint when ip address type is %s.', (ipAddressType) => {
+      //GIVEN
+      const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } });
+      const vpc = new Vpc(stack, 'VPC');
+
+      //WHEN
+      vpc.addInterfaceEndpoint('EC2 Endpoint', {
+        service: InterfaceVpcEndpointAwsService.EC2,
+        privateDnsEnabled: false,
+        ipAddressType,
+        open: true,
+      });
+
+      //THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::SecurityGroup', {
+        SecurityGroupIngress: [
+          {
+            CidrIp: stack.resolve(vpc.vpcCidrBlock),
+            FromPort: 443,
+            IpProtocol: 'tcp',
+            ToPort: 443,
+          },
+        ],
+      });
+    });
   });
 });