- Newest
- Most votes
- Most comments
They are resolveable because private endpoints are in Public Zones. They do return private IPs but you will be unable to connect to them unless you have some form of VPN. To prevent this, you have to disable private DNS on the endpoint and create your own Private Route 53 zone and alias in each apex
The default DNS names of VPC endpoints always resolve to their real IP addresses, which are generally private. Only specific services with both public and private IPs, such as publicly accessible RDS databases, or standard AWS service endpoints (like ec2.[region].amazonaws.com) resolve to the private IPs of an endpoint inside a VPC that hosts such an endpoint and to the public IP of the public endpoint for the service when queried from outside an endpoint-equipped VPC.
