Why can’t I select an Availability Zone for my Amazon VPC interface endpoint?

2 minute read

I'm using Amazon Virtual Private Cloud (Amazon VPC) to create an interface VPC endpoint. However, I can't select my preferred subnet for the Availability Zone.

Short description

When you create an interface VPC endpoint to connect with AWS PrivateLink services, note the following:

  • You must select subnets for the same Availability Zone where the elastic network interface was launched.
  • The Availability Zone mapping can be different between AWS accounts. For example, the subnet that's mapped as us-east-1a in one account might be mapped as us-east-1c in another account.
    Note: AWS allows you to identify the actual location of your resources relative to your accounts with the Availability Zone ID (AZ ID). An AZ ID is a unique and consistent identifier for an Availability Zone across all AWS accounts.

When you create an interface endpoint in your account, keep the following points in mind:

  • You can select an Availability Zone only if it corresponds to active Availability Zones on the Network Load Balancer of the provider VPC.
  • The Amazon VPC console automatically performs the Availability Zone mapping.
  • If an Availability Zone isn't activated for the provider VPC's Network Load Balancer, then you receive the error Service not supported in this Availability Zone.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Check which Availability Zones are enabled on the Network Load Balancer of the provider VPC. Use the command describe-vpc-endpoint-services:

aws ec2 describe-vpc-endpoint-services --service-names SERVICE-NAME

For example, use the following command to see activated Availability Zones:

aws ec2 describe-vpc-endpoint-services --service-names com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx

In this example, the output shows that you can select the us-east-1b subnet:

    "ServiceDetails": [
            "ServiceName": " com.amazonaws.vpce.us-east-1.vpce-svc-xxxxxxxxxx ",
            "VpcEndpointPolicySupported": false,
            "Owner": "##########",
            "AvailabilityZones": [

This output is mapped to the values of the AWS account that is running the command. Therefore, both service provider accounts and service consumer accounts can run the preceding command, even if they are in different Availability Zones. For consumer accounts, make sure that the accounts are allowed as AWS principals on the endpoint service.

Related information

Share your services through AWS PrivateLink

AWS OFFICIALUpdated 6 months ago