diff --git a/ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml.md b/ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml.md
index 1820cccb5fb3..fa7d4bc6d73e 100644
--- a/ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml.md
+++ b/ci-operator/step-registry/ipi/conf/aws/blackholenetwork/blackhole_vpc_yaml.md
@@ -173,6 +173,42 @@ Resources:
     Properties:
       SubnetId: !Ref PrivateSubnet3
       RouteTableId: !Ref PrivateRouteTable3
+  EC2EndpointSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: EC2 Endpoint Security Group
+      SecurityGroupIngress:
+      - IpProtocol: tcp
+        FromPort: 443
+        ToPort: 443
+        CidrIp: !Ref VpcCidr
+      VpcId: !Ref VPC
+  EC2Endpoint:
+    Type: AWS::EC2::VPCEndpoint
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+        - Effect: Allow
+          Principal: '*'
+          Action:
+          - '*'
+          Resource:
+          - '*'
+      PrivateDnsEnabled: "true"
+      SecurityGroupIds:
+      - !Ref EC2EndpointSecurityGroup
+      ServiceName: !Join
+      - ''
+      - - com.amazonaws.
+        - !Ref 'AWS::Region'
+        - .ec2
+      SubnetIds:
+      - !Ref PublicSubnet
+      - !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"]
+      - !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]
+      VpcEndpointType: Interface
+      VpcId: !Ref VPC
   S3Endpoint:
     Type: AWS::EC2::VPCEndpoint
     Properties:
@@ -214,4 +250,4 @@ Outputs:
       !Join [
         ",",
         [!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]
-      ]
\ No newline at end of file
+      ]