Need assistance to understand how to setup AWS PrivateLink Cross-region connection

Question

Hi!
I am trying to set up AWS PrivateLink to test the cross-region connectivity of the services. I am following this [blog](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/), but I am not sure about this part:
![Enter image description here](/media/postImages/original/IMyLww34tNQTahosi2Zs0-Ew)
The article gave the policies, but I am unsure where to use or attach them. I already created the VPC endpoint service from the region 1 (provider vpc) and created the VPC endpoint in region 2 (consumer vpc). I practically set up all, but when I tried to curl the DNS name of the endpoint from my EC2 instance in region 2 (consumer vpc), I got a connection timed-out error. I configured my security groups to be non-restrictive for testing, so I am not sure what else I missed. I hope someone could help me, thank you!

re:Post Agent · Accepted Answer

To set up AWS PrivateLink for cross-region connectivity, you need to ensure that the proper permissions are in place. The policies mentioned in the blog are related to IAM permissions that control cross-region access for AWS PrivateLink.

Here's what you need to do:

1. IAM Permissions: An IAM administrator needs to create and attach IAM policies that allow the `vpce:AllowMultiRegion` permission-only action. This grants the necessary permissions for cross-region access.

2. Service Provider Side:
   - Make sure your endpoint service in Region 1 (provider VPC) is configured to allow cross-region access.
   - In the endpoint service settings, you need to explicitly enable the regions from which you want to allow access.

3. Service Consumer Side:
   - When creating the VPC endpoint in Region 2 (consumer VPC), ensure you've selected the option to enable cross-region endpoint and specified the correct provider region.

4. DNS Resolution:
   - Verify that private DNS is enabled for your VPC endpoint in Region 2.
   - Ensure that the DNS name you're using for the curl command is correct and matches the one provided by AWS for your endpoint.

5. Network Path:
   - Double-check that the route tables in your consumer VPC are correctly configured to route traffic to the VPC endpoint.

6. Endpoint Service Acceptance:
   - Verify that the endpoint connection has been accepted on the provider side. Sometimes, endpoint services require manual acceptance of new connections.

If you've confirmed all these steps and are still experiencing issues, you may want to:

- Check CloudWatch Logs for any error messages related to your VPC endpoint or endpoint service.
- Verify that the Network Load Balancer associated with your endpoint service in Region 1 is healthy and has targets in service.
- Ensure that your service in Region 1 is actually listening and responding on the port you're trying to access.

Remember, cross-region connectivity is only supported for Network Load Balancer (NLB) based services and does not currently support AWS or Marketplace services with user-friendly DNS names.

If the issue persists after verifying these points, you may need to contact AWS support for further assistance, as there could be account-specific or service-level issues that are not immediately apparent.  
**Sources**  
[Introducing Cross-Region Connectivity for AWS PrivateLink | Networking & Content Delivery](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/)  
[Share your services through AWS PrivateLink - Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-share-your-services.html)

Need assistance to understand how to setup AWS PrivateLink Cross-region connection

Add your answer

Relevant content