How do I configure cross-Region Amazon VPC interface endpoints to access AWS PrivateLink resources?

3 minute read

I want to configure cross-Region Amazon Virtual Private Cloud (Amazon VPC) endpoints to access AWS PrivateLink resources.

Resolution

To configure cross-Region Amazon VPC interface endpoints to access resources, complete one of the following methods:

Use Amazon VPC interface endpoints to access a service that runs in another Region.
Use Amazon Route 53 to resolve the service endpoint DNS name from a peered VPC.

From the consumer Amazon VPC, create an interface endpoint for the required service in a private subnet.
Create a security group ingress rule that allows traffic from the remote consumer Amazon VPC CIDR.
Create an inter-Region Amazon VPC peering connection between the consumer Amazon VPC and the source VPC. Make sure that the interface endpoint is configured in the same region as the endpoint service.
Note: An endpoint service is available in the Region where you created it.
Use the Amazon VPC peering connection to configure the subnet route tables to route traffic to the remote consumer Amazon VPC in the other Region.

To resolve a service endpoint DNS name to private IP addresses from a peered Amazon VPC, create a Private Hosted Zone in Amazon Route 53:

Create an interface endpoint for the service. Make sure that PrivateDNS is turned off.
Use the service domain name to create a Private Hosted Zone. Make sure that you use the account that the preceding interface endpoint was created.
Confirm that the DNS hostnames and DNS resolution are turned on for both Amazon VPCs in the peering connection.
Create an Alias record that points the service domain name to the Regional endpoint of the interface endpoint DNS.
Associate the source Amazon VPC to the Private Hosted Zone. If the Amazon VPC is cross-account, then see How do I associate a Route 53 private hosted zone with a VPC on a different AWS account?

Topics