Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How do I configure cross-Region Amazon VPC interface endpoints to access AWS PrivateLink resources?
I want to configure cross-Region Amazon Virtual Private Cloud (Amazon VPC) endpoints to access AWS PrivateLink resources.
Resolution
Configure native cross-Region connectivity
Use AWS PrivateLink to configure native cross-Region access for services that use Network Load Balancer, or Gateway Load Balancer. For instructions on configuring cross-Region endpoints for services with AWS PrivateLink, see Introducing Cross-Region Connectivity for AWS PrivateLink.
Use Amazon VPC interface endpoints to access a service that runs in another Region
Complete the following steps:
- From the consumer Amazon VPC, create an interface endpoint for the required service in a private subnet.
- Create an inbound security group rule that allows traffic from the remote consumer Amazon VPC CIDR block.
- Create an inter-region Amazon VPC peering connection between the consumer Amazon VPC and the source Amazon VPC. Configure the interface endpoint in the same AWS Region as the endpoint service.
Note: An endpoint service is available in the Region where you created it. - Use the Amazon VPC peering connection to configure the subnet route tables to route traffic to the remote consumer Amazon VPC in the other Region.
Resolve a service endpoint DNS name from a peered Amazon VPC
To resolve a service endpoint DNS name to private IP addresses from a peered Amazon VPC, create a private hosted zone, and then complete the following steps:
- Create an interface endpoint for the service.
Note: Don't configure a private DNS name for your endpoint service. - Use the service domain name to create a private hosted zone in Amazon Route 53. Use the AWS account that you used to create the interface endpoint in the previous step.
- Confirm that you activated DNS hostnames and DNS resolution for both Amazon VPCs in the peering connection.
- Use Amazon Route 53 to create an alias record that points the service domain name to the Regional endpoint of the interface endpoint DNS. For information about the values that you specify for your alias record, see Values that you specify when you create or edit Amazon Route 53 records.
- Associate the source Amazon VPC to the private hosted zone. If you created the Amazon VPC with a different account, then follow the instructions at How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?
Related information
How do I use an interface Amazon VPC endpoint to resolve default service domain names?
Why can't I resolve domain names over my VPC peering connection?
- Tags
- Amazon VPC
- Language
- English
Great article!
Educative article!
Useful info. Thanks
informative article
Is this no longer needed now that AWS PrivateLink supports cross-region connectivity? https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 5 months ago
- asked 7 years ago
- asked 5 years ago
- asked 3 years ago
- asked 4 years ago
