How do I enable end-to-end HTTPS connectivity with AWS PrivateLink?

Last updated: 2019-08-20

I need end-to-end HTTPS connectivity between clients in a consumer VPC to applications running behind the Network Load Balancer in a service provider VPC. How can I do this using AWS PrivateLink?


  1. Create a self-signed X509 certificate for your application with OpenSSL. Then, and install it on the target Amazon Elastic Compute Cloud (Amazon EC2) instances.
    Important: Verify that the Common Name that you specify in your certificate signing request (CSR) is the fully qualified domain name for your website. If this entry doesn't match the domain name that users see when they visit your site (for example,, you might receive certificate errors.
  2. Request a certificate for your domain name using AWS Certificate Manager (ACM).
    Note: To prevent certificate mismatch issues, it's a best practice to provision a wildcard certificate for your domain. See Wildcard Names under ACM Certificate Characteristics for more information.
  3. Create a TLS listener for your Network Load Balancer. During configuration, choose From ACM for Default SSL certificate. Then, select the SSL certificate that you created in step 2.
  4. Create an interface endpoint for the service that you're connecting to using AWS PrivateLink.
  5. Create a private hosted zone for your domain in Amazon Route 53.
  6. Associate the private hosted zone that you created in step 5 with the VPC that has the interface endpoint that you created in step 4.
  7. Route traffic to the interface endpoint using the domain name. During configuration, create an Alias record set in the private hosted zone that you created in Step 5. For Alias Target, choose the DNS name of the interface endpoint that you're routing traffic to.
  8. Use the new record set to access the service endpoint. Be sure that the DNS correctly resolves to the private IP addresses of the interface endpoint.

Did this article help you?

Anything we could improve?

Need more help?