Why can’t I select an Availability Zone for my Amazon VPC interface endpoint?

Lesedauer: 2 Minute

I'm using Amazon Virtual Private Cloud (Amazon VPC) to create an interface VPC endpoint. However, I can't select my preferred subnet for the Availability Zone. Why can't I select that Availability Zone for my interface VPC endpoint?

Short description

When creating an interface VPC endpoint to connect with AWS PrivateLink services:

  • You must select subnets for the same Availability Zone where the elastic network interface was launched.
  • The Availability Zone mapping can be different between AWS accounts. For example, the subnet mapped as us-east-1a in one account might be mapped as us-east-1c in another account.

When creating an interface endpoint in your account:

  • You can only select an Availability Zone that corresponds to Availability Zones enabled on the Network Load Balancer of the provider VPC.
  • The Amazon VPC console automatically performs the Availability Zone mapping.
  • If an Availability Zone isn't enabled for the provider VPC's Network Load Balancer, you receive the error Service not supported in this Availability Zone.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Check which Availability Zones are enabled on the Network Load Balancer of the provider VPC. Use the command describe-vpc-endpoint-services:

aws ec2 describe-vpc-endpoint-services --service-names SERVICE-NAME

For example, use this command to see enabled Availability Zones:

aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx

In this example, the output shows that you can select the us-east-1b subnet:

    "ServiceDetails": [
            "ServiceName": " com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx ",
            "VpcEndpointPolicySupported": false,
            "Owner": "##########",
            "AvailabilityZones": [

This output is mapped to the values of the AWS account that is running the command. Therefore, both service provider accounts and service consumer accounts can run the preceding command, even if they are in different Availability Zones. For consumer accounts, make sure that the accounts are allowed as AWS principals on the endpoint service.

Related information

Share your services through AWS PrivateLink

AWS OFFICIALAktualisiert vor 8 Monaten