How can I set up my VPC endpoint service to use a custom private DNS name?
Last updated: 2020-08-27
I'm a service provider. I created a VPC endpoint service (AWS PrivateLink) in my Amazon Virtual Private Cloud (Amazon VPC). How can I confirm that consumers of my service can access my VPC endpoint using a custom private DNS name?
Service providers can specify a private DNS name for a new or existing endpoint service. To use a private DNS name, enable the feature, and then specify a private DNS name. Before your service consumers can use the private DNS name, you must verify that you control the domain or subdomain. You can initiate domain ownership verification using the Amazon VPC console or API. After the domain ownership verification is complete, consumers can access the endpoint using the private DNS name.
Complete the service provider configuration
- Create a VPC endpoint service, if you don't already have one. Be sure to enable "Private DNS Name" and provide the private DNS name when creating your VPC endpoint service. If you already created the service but didn't specify a private DNS name, you can modify an existing endpoint service to add the private DNS name.
- As a service provider, you must create DNS records in the public domain used for the private DNS validation. You can register a domain using Amazon Route 53.
- View the endpoint service private DNS name configuration details. Note the "Domain verification value" and "Domain verification name" that you need to create the DNS server records.
- Add the provided TXT record to the DNS service for your domain. If you're using Route 53 as a DNS provider, see Creating records by using the Amazon Route 53 console.
- Verify the private DNS name to confirm that you (the service provider) own the domain name. For verification steps, see VPC endpoint service private DNS name verification and Manually initiating the endpoint service private DNS name domain verification.
Complete the service consumer configuration
- Set "enableDnsHostnames" and "enableDnsSupport" to "true" for the VPC where you plan to configure the VPC interface endpoints. For more information, see Viewing and updating DNS support for your VPC.
- Create the VPC interface endpoints in the VPC of your service consumer account using the service name provided by the service provider. You can't enable private DNS names until the endpoint connection request is accepted by the service provider.
Note: If your service provider doesn't require their acceptance, you can enable private DNS names and then skip the following steps.
- Contact the service provider to request their acceptance of the connection request. See Accepting and rejecting interface endpoint connection requests.
Note: After an interface endpoint is accepted, it is in the "Available" state. You can verify the endpoint's acceptance by referring to the "Status" of the VPC interface endpoint in your service consumer account.
- Modify the private DNS names for the VPC interface endpoint you created in step 2, and then select "Enable for this endpoint".