How can I set up my VPC endpoint service to use a custom private DNS name?

3 minute read

I'm a service provider. I created a virtual private cloud (VPC) endpoint service (AWS PrivateLink) in my Amazon Virtual Private Cloud (Amazon VPC). How can I confirm that consumers of my service can access my VPC endpoint using a custom private domain name system (DNS) name?

Short description

Service providers can specify a private DNS name for a new or existing endpoint service. To use a private DNS name, you need to turn on the feature and then specify a private DNS name. Before your service consumers can use the private DNS name, you must verify that you control the domain or subdomain. You can initiate domain ownership verification using the Amazon VPC console or API. After the domain ownership verification is complete, consumers can access the endpoint using the private DNS name.


Service provider configuration

  1. Create a VPC endpoint service, if you don't already have one. Be sure to turn on "Private DNS Name" and provide the private DNS name when creating your VPC endpoint service. If you created an endpoint service but didn't specify a private DNS name, you can associate a private DNS name with your endpoint service.
  2. As a service provider, you must create DNS records in the public domain used for the private DNS validation. You can register or add a new domain using Amazon Route 53.
  3. View the endpoint service private DNS name configuration details. Note the "Domain verification value" and "Domain verification name" that you need to create the DNS server records.
  4. Add the provided TXT record to the DNS service for your domain. If you're using Route 53 as a DNS provider, see Creating records by using the Amazon Route 53 console.
  5. Verify the private DNS name to confirm that you (the service provider) own the domain name. For verification steps, see Domain ownership verification.

Service consumer configuration

  1. Set "enableDnsHostnames" and "enableDnsSupport" to "true" for the VPC where you plan to configure the VPC interface endpoints. For more information, see View and update DNS attributes for your VPC.
  2. Create the VPC interface endpoints in the VPC of your service consumer account using the service name provided by the service provider. You can't turn on private DNS names until the endpoint connection request is accepted by the service provider.
    Note: If your service provider doesn't require their acceptance, you can turn on private DNS names and then skip the following steps.
  3. Contact the service provider to request their acceptance of the connection request. See Accept or reject connection requests.
    Note: After an interface endpoint is accepted, it is in the "Available" state. You can verify the endpoint's acceptance by referring to the "Status" of the VPC interface endpoint in your service consumer account.
  4. Modify the private DNS names for the VPC interface endpoint that you created in step 2, and then select "Enable for this endpoint".

Related information

Share your services through AWS PrivateLink

Manage DNS names for VPC endpoint services

AWS OFFICIALUpdated 2 years ago