How do I set up end-to-end HTTPS connectivity with AWS PrivateLink?

Last updated: 2022-08-24

I need end-to-end HTTPS connectivity between clients in a consumer VPC to applications running behind the Network Load Balancer in a service provider VPC. How can I do this using AWS PrivateLink?


  1. Create a self-signed X509 certificate for your application with OpenSSL. Then, install it on the required Amazon Elastic Compute Cloud (Amazon EC2) instances.
    Note: This certificate is used only between the Elastic Load Balancer and target EC2 instances. It's a best practice to use a trusted Certificate Authority to sign a certificate. It's a best practice to use self-signed certificates only in a test environment or for encryption between an Elastic Load Balancer and Amazon EC2 targets. The load balancer does not validate these certificates. Traffic between the ELB and the targets is authenticated at the packet level.
  2. Create a TLS target group for your Network Load Balancer. Then, register the EC2 instances as targets. The load balancer automatically uses the self-signed certificate installed on the targets to encrypt the backend traffic.
  3. Request a public certificate for your domain name using AWS Certificate Manager (ACM). This certificate is used between the load balancer and clients.
    Important: Verify that the domain name that you specify matches the domain name of your website. If this entry doesn't match the domain name that users see when they visit your site (for example,, they might receive a certificate error.
  4. Create a TLS listener for your Network Load Balancer. During the configuration, select the SSL certificate that you created in step 3.
  5. Create an Amazon VPC interface endpoint for the endpoint service connected to the Network Load Balancer.
  6. Configure Amazon Route 53 to route traffic to the Amazon VPC interface endpoint. Use the domain name specified in step 3 for the record name.

Did this article help?

 Do you need billing or technical support?