Create an opensearch VPC endpoint in another region

Question

I have an opensearch AWS account, and in it I created a domain in the eu-west-1 region.
I have a test AWS account. I added it as an authorized principal to the opensearch domain. In the test AWS account I created a VPC in the same region (eu-west-1) and I was then able to create an opensearch endpoint in the test VPC.
I then created a production AWS account. Again I added this account as an authorized principal to the opensearch domain. In the production AWS account I created a VPC in a different region (eu-west-3). I was unable to create an opensearch endpoint in the production VPC. It did not explicitly tell me that there was an issue due to the regions being different. The error message that I received was:

"Either the domain doesn't exist, it doesn't support creation of VPC endpoints, or you don't have permission to create a VPC endpoint for the domain"

As far as I can tell, none of these three statements are true. The domain *does* exist, it *does* support the creation of VPC endpoints, and I should have permission to create a VPC endpoint for the domain since I have added the account to the authorized principals list.

Has anybody been able to create a cross-region, cross-account opensearch VPC endpoint? What am I missing?

Sivaraman Selvam · Accepted Answer

Hello,

> VPC endpoints can only connect to domains within the same AWS Region.

Reference:

https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc-interface-endpoints.html

Leo K · Answer

The other reply is correct, but adding to that, all VPC endpoints are regional, because a VPC itself is a regional construct. Being able to create VPC endpoints only in the home region of the resource isn't specific to OpenSearch. Similarly, a VPC endpoint for S3, for example, can only reach S3 buckets in the region of the VPC endpoint.

Create an opensearch VPC endpoint in another region

Add your answer

Relevant content