Why can’t I select an Availability Zone for my Amazon VPC interface endpoint?

2 minute read

I'm using Amazon Virtual Private Cloud (Amazon VPC) to create an interface VPC endpoint. However, I can't select my preferred subnet for the Availability Zone.

Short description

When you create an interface VPC endpoint to connect with AWS PrivateLink services, note the following:

You must select subnets for the same Availability Zone where the elastic network interface was launched.
The Availability Zone mapping can be different between AWS accounts. For example, the subnet that's mapped as us-east-1a in one account might be mapped as us-east-1c in another account.
Note: AWS allows you to identify the actual location of your resources relative to your accounts with the Availability Zone ID (AZ ID). An AZ ID is a unique and consistent identifier for an Availability Zone across all AWS accounts.

When you create an interface endpoint in your account, keep the following points in mind:

You can select an Availability Zone only if it corresponds to active Availability Zones on the Network Load Balancer of the provider VPC.
The Amazon VPC console automatically performs the Availability Zone mapping.
If an Availability Zone isn't activated for the provider VPC's Network Load Balancer, then you receive the error Service not supported in this Availability Zone.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Check which Availability Zones are enabled on the Network Load Balancer of the provider VPC. Use the command describe-vpc-endpoint-services:

aws ec2 describe-vpc-endpoint-services --service-names SERVICE-NAME

For example, use the following command to see activated Availability Zones:

aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx

In this example, the output shows that you can select the us-east-1b subnet:

{
    "ServiceDetails": [
         .............................
            "ServiceName": " com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx ",
            "VpcEndpointPolicySupported": false,
            "Owner": "##########",
            "AvailabilityZones": [
                "us-east-1b"
            ],
        ..............................
}

This output is mapped to the values of the AWS account that is running the command. Therefore, both service provider accounts and service consumer accounts can run the preceding command, even if they are in different Availability Zones. For consumer accounts, make sure that the accounts are allowed as AWS principals on the endpoint service.

Related information

Share your services through AWS PrivateLink

Topics

Networking & Content Delivery

Relevant content

VPC Interface Endpoint Limitation on one subnet per Availability Zone for "Enable Private DNS Name"
Accepted Answer
Anuj Sharma
asked 6 years ago
Cloudformation VPC S3 interface endpoint with PrivateDnsEnabled and PrivateDnsOnlyForInboundResolverEndpoint set to false
Shahar
asked 4 months ago
How do I create a VPC Endpoint for S3 Interface?
dpwtheitguy
asked 2 years ago
Amazon EC2 using an interface VPC endpoint
rePost-User-6703621
asked a year ago
VPC Resource Map and Interface Endpoint
SethM
asked 5 months ago
What is an interface VPC endpoint and how can I create one for my VPC?
AWS OFFICIALUpdated a year ago
Why can't I resolve service domain names for an interface VPC endpoint?
AWS OFFICIALUpdated a year ago
Why can't I see my VPC endpoint service in the verified services list when I'm creating an interface VPC endpoint?
AWS OFFICIALUpdated a year ago
I received a conflicting DNS domain error while creating an interface VPC endpoint. How can I fix this?
AWS OFFICIALUpdated a year ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published 6 months ago