# Share your services through AWS PrivateLink
You can host your own AWS PrivateLink powered service, known as an *endpoint service*, and share it with other AWS customers.
**Topics**
+ [
## Overview
](#endpoint-service-overview)
+ [
## DNS hostnames
](#endpoint-service-dns-hostnames)
+ [
## Private DNS
](#endpoint-service-private-dns)
+ [
## Subnets and Availability Zones
](#endpoint-service-subnets-zones)
+ [
## Cross-Region access
](#endpoint-service-cross-region)
+ [
## IP address types
](#endpoint-service-ip-address-type)
+ [Create an endpoint service](create-endpoint-service.md)
+ [
# Configure an endpoint service
](configure-endpoint-service.md)
+ [Manage DNS names](manage-dns-names.md)
+ [
# Receive alerts for endpoint service events
](create-notification-endpoint-service.md)
+ [
# Delete an endpoint service
](delete-endpoint-service.md)
## Overview
The following diagram shows how you share your service that's hosted in AWS with other AWS customers, and how those customers connect to your service. As the service provider, you create a Network Load Balancer in your VPC as the service front end. You then select this load balancer when you create the VPC endpoint service configuration. You grant permission to specific AWS principals so that they can connect to your service. As a service consumer, the customer creates an interface VPC endpoint, which establishes connections between the subnets that they select from their VPC and your endpoint service. The load balancer receives requests from the service consumer and routes them to the targets hosting your service.
![\[Service consumers connect to endpoint services hosted by service providers.\]](http://docs.aws.amazon.com/vpc/latest/privatelink/images/endpoint-services.png)
For low latency and high availability, we recommend that you make your service available in at least two Availability Zones.
## DNS hostnames
When a service provider creates a VPC endpoint service, AWS generates an endpoint-specific DNS hostname for the service. These names have the following syntax:
```
endpoint_service_id.region.vpce.amazonaws.com
```
The following is an example of a DNS hostname for a VPC endpoint service in the us-east-2 Region:
```
vpce-svc-071afff70666e61e0.us-east-2.vpce.amazonaws.com
```
When a service consumer creates an interface VPC endpoint, we create Regional and zonal DNS names that the service consumer can use to communicate with the endpoint service. Regional names have the following syntax:
```
endpoint_id.endpoint_service_id.service_region.vpce.amazonaws.com
```
Zonal names have the following syntax:
```
endpoint_id-endpoint_zone.endpoint_service_id.service_region.vpce.amazonaws.com
```
## Private DNS
A service provider can also associate a private DNS name for their endpoint service, so that service consumers can continue to access the service using its existing DNS name. If a service provider associates a private DNS name with their endpoint service, then service consumers can enable private DNS names for their interface endpoints. If a service provider doesn't enable private DNS, then service consumers might need to update their applications to use the public DNS name of the VPC endpoint service. For more information, see [Manage DNS names](manage-dns-names.md).
## Subnets and Availability Zones
Your endpoint service is available in the Availability Zones that you enable for your Network Load Balancer. For high availability and resiliency, we recommend that you enable your load balancer in at least two Availability Zones, deploy EC2 instances in each enabled zone, and register these instances with your load balancer target group.
You can enable cross-zone load balancing as an alternative to hosting your endpoint service in multiple Availability Zones. However, consumers will lose access to the endpoint service from both zones if the zone that hosts the endpoint service fails. Also consider that when you enable cross-zone load balancing for a Network Load Balancer, EC2 data transfer charges apply.
The consumer can create interface VPC endpoints in the Availability Zones in which your endpoint service is available. We create an endpoint network interface in each subnet that the consumer configures for the VPC endpoint. We assign IP addresses to each endpoint network interface from its subnet, based on the IP address type of the VPC endpoint. When a request uses the regional endpoint for the VPC endpoint service, we select a healthy endpoint network interface, using the round robin algorithm to alternate between the network interfaces in different Availability Zones. We then resolve the traffic to the IP address of the selected endpoint network interface.
The consumer can use the zonal endpoints for the VPC endpoint if it's better for their use case to keep traffic in the same Availability Zone.
## Cross-Region access
A service provider can host a service in one Region and make it available in a set of supported Regions. A service consumer selects a service Region when creating an endpoint.
**Permissions**
+ By default, IAM entities don't have permission to make an endpoint service available in multiple Regions or access an endpoint service across Regions. To grant the permissions required for cross-Region access, an IAM administrator can create IAM policies that allow the `vpce:AllowMultiRegion` permission-only action.
+ To control the Regions that an IAM entity can specify as a supported Region when creating an endpoint service, use the `ec2:VpceSupportedRegion` condition key.
+ To control the Regions that an IAM entity can specify as a service Region when creating a VPC endpoint, use the `ec2:VpceServiceRegion` condition key.
**Considerations**
+ A service provider must opt in to an opt-in Region before adding it as a supported Region for an endpoint service.
+ Your endpoint service must be accessible from its host Region. You can't remove the host Region from the set of supported Regions. For redundancy, you can deploy your endpoint service in multiple Regions and enable cross-Region access for each endpoint service.
+ A service consumer must opt in to an opt-in Region before selecting it as the service Region for an endpoint. Whenever possible, we recommend that service consumers access a service using intra-Region connectivity instead of cross-Region connectivity. Intra-Region connectivity provides lower latency and lower costs.
+ If a service provider removes a Region from the set of supported Regions, service consumers can't select that Region as the service Region when they create new endpoints. Note that this does not affect access to the endpoint service from existing endpoints that use this Region as the service Region.
+ For high availability, providers must use at least two Availability Zones. Cross-Region access does not require that providers and consumers use the same Availability Zones.
+ Cross-Region access is not supported for the following Availability Zones: `use1-az3`, `usw1-az2`, `apne1-az3`, `apne2-az2`, and `apne2-az4`.
+ With cross-Region access, AWS PrivateLink manages failover between Availability Zones. It does not manage failover across Regions.
+ Cross-Region access is not supported for Network Load Balancers with a custom value configured for the TCP idle timeout.
+ Cross-Region access is not supported with UDP fragmentation.
+ Cross-Region access is only supported for services that you share through AWS PrivateLink.
## IP address types
Service providers can make their service endpoints available to service consumers over IPv4, IPv6, or both IPv4 and IPv6, even if their backend servers support only IPv4. If you enable dualstack support, existing consumers can continue to use IPv4 to access your service and new consumers can choose to use IPv6 to access your service.
If an interface VPC endpoint supports IPv4, the endpoint network interfaces have IPv4 addresses. If an interface VPC endpoint supports IPv6, the endpoint network interfaces have IPv6 addresses. The IPv6 address for an endpoint network interface is unreachable from the internet. If you describe an endpoint network interface with an IPv6 address, notice that `denyAllIgwTraffic` is enabled.
**Requirements to enable IPv6 for an endpoint service**
+ The VPC and subnets for the endpoint service must have associated IPv6 CIDR blocks.
+ All Network Load Balancers for the endpoint service must use the dualstack IP address type. The targets do not need to support IPv6 traffic. If the service processes source IP addresses from the proxy protocol version 2 header, it must process IPv6 addresses.
**Requirements to enable IPv6 for an interface endpoint**
+ The endpoint service must support IPv6 requests.
+ The IP address type of an interface endpoint must be compatible with the subnets for the interface endpoint, as described here:
+ **IPv4** – Assign IPv4 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges.
+ **IPv6** – Assign IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets.
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges.
**DNS record IP address type for an interface endpoint**
The DNS record IP address type that an interface endpoint supports determines the DNS records that we create. The DNS record IP address type of an interface endpoint must be compatible with the IP address type of the interface endpoint, as described here:
+ **IPv4** – Create A records for the private, Regional, and zonal DNS names. The IP address type must be **IPv4** or **Dualstack**.
+ **IPv6** – Create AAAA records for the private, Regional, and zonal DNS names. The IP address type must be **IPv6** or **Dualstack**.
+ **Dualstack** – Create A and AAAA records for the private, Regional, and zonal DNS names. The IP address type must be **Dualstack**.
# Create a service powered by AWS PrivateLink
You can create your own service powered by AWS PrivateLink, known as an *endpoint service*. You are the service provider, and the AWS principals that create connections to your service are the service consumers.
Endpoint services require either a Network Load Balancer or a Gateway Load Balancer. The load balancer receives requests from service consumers and routes them to your service. In this case, you'll create an endpoint service using a Network Load Balancer. For more information about creating an endpoint service using a Gateway Load Balancer, see [Access virtual appliances](vpce-gateway-load-balancer.md).
**Topics**
+ [
## Considerations
](#considerations-endpoint-services)
+ [
## Prerequisites
](#prerequisites-endpoint-services)
+ [
## Create an endpoint service
](#create-endpoint-service-nlb)
+ [
## Make your endpoint service available to service consumers
](#share-endpoint-service)
+ [
## Connect to an endpoint service as the service consumer
](#connect-to-endpoint-service)
## Considerations
+ An endpoint service is available in the Region where you created it. Consumers can access your service from other Regions if you enable [cross-Region access](privatelink-share-your-services.md#endpoint-service-cross-region), or if they use VPC peering or a transit gateway.
+ When service consumers retrieve information about an endpoint service, they can see only the Availability Zones that they have in common with the service provider. When the service provider and service consumer are in different accounts, an Availability Zone name, such as `us-east-1a`, might be mapped to a different physical Availability Zone in each AWS account. You can use AZ IDs to consistently identify the Availability Zones for your service. For more information, see [AZ IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids) in the *Amazon EC2 User Guide*.
+ When service consumers send traffic to a service through an interface endpoint, the source IP addresses provided to the application are the private IP addresses of the load balancer nodes, not the IP addresses of the service consumers. If you enable proxy protocol on the load balancer, you can obtain the addresses of the service consumers and the IDs of the interface endpoints from the proxy protocol header. For more information, see [Proxy protocol](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol) in the *User Guide for Network Load Balancers*.
+ A Network Load Balancer can be associated with a single endpoint service, but an endpoint service can be associated with multiple Network Load Balancers.
+ If an endpoint service is associated with multiple Network Load Balancers, each endpoint network interface is associated with one load balancer. When the first connection from an endpoint network interface is initiated, we select one of the Network Load Balancers in the same Availability Zone as the endpoint network interface at random. All subsequent connection requests from this endpoint network interface use the selected load balancer. We recommend that you use the same listener and target group configuration for all load balancers for an endpoint service, so that consumers can use the endpoint service successfully no matter which load balancer is chosen.
+ There are quotas on your AWS PrivateLink resources. For more information, see [AWS PrivateLink quotas](vpc-limits-endpoints.md).
## Prerequisites
+ Create a VPC for your endpoint service with at least one subnet in each Availability Zone in which the service should be available.
+ To enable service consumers to create IPv6 interface VPC endpoints for your endpoint service, the VPC and subnets must have associated IPv6 CIDR blocks.
+ Create a Network Load Balancer in your VPC. Select one subnet per Availability Zone in which the service should be available to service consumers. For low latency and fault tolerance, we recommend that you make your service available in at least two Availability Zones in the Region.
+ If your Network Load Balancer has a security group, it must allow inbound traffic from the IP addresses of the clients. Alternatively, you can turn off evaluation of inbound security group rules for traffic through AWS PrivateLink. For more information, see [Security groups](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html) in the *User Guide for Network Load Balancers*.
+ To enable your endpoint service to accept IPv6 requests, its Network Load Balancers must use the dualstack IP address type. The targets do not need to support IPv6 traffic. For more information, see [IP address type](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#ip-address-type) in the *User Guide for Network Load Balancers*.
If you process source IP addresses from the proxy protocol version 2 header, verify that you can process IPv6 addresses.
+ Launch instances in each Availability Zone in which the service should be available and register them with a load balancer target group. If you do not launch instances in all enabled Availability Zones, you can enable cross-zone load balancing to support service consumers that use zonal DNS hostnames to access the service. Regional data transfer charges apply when you enable cross-zone load balancing. For more information, see [Cross-zone load balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#cross-zone-load-balancing) in the *User Guide for Network Load Balancers*.
## Create an endpoint service
Use the following procedure to create an endpoint service using a Network Load Balancer.
**To create an endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Choose **Create endpoint service**.
1. For **Load balancer type**, choose **Network**.
1. For **Available load balancers**, select the Network Load Balancers to associate with the endpoint service. To see the Availability Zones that are enabled for the load balancer you selected, see **Details of selected load balancers**, **Included Availability Zones**. Your endpoint service will be available in these Availability Zones.
1. (Optional) To make your endpoint service available from Regions other than the Region where it is hosted, select the Regions from **Service Regions**. For more information, see [Cross-Region access](privatelink-share-your-services.md#endpoint-service-cross-region).
1. For **Require acceptance for endpoint**, select **Acceptance required** to require that connection requests to your endpoint service are accepted manually. Otherwise, these requests are accepted automatically.
1. For **Enable private DNS name**, select **Associate a private DNS name with the service** to associate a private DNS name that service consumers can use to access your service, and then enter the private DNS name. Otherwise, service consumers can use the endpoint-specific DNS name provided by AWS. Before service consumers can use the private DNS name, the service provider must verify that they own the domain. For more information, see [Manage DNS names](manage-dns-names.md).
1. For **Supported IP address types**, do one of the following:
+ Select **IPv4** – Enable the endpoint service to accept IPv4 requests.
+ Select **IPv6** – Enable the endpoint service to accept IPv6 requests.
+ Select **IPv4** and **IPv6** – Enable the endpoint service to accept both IPv4 and IPv6 requests.
1. (Optional) To add a tag, choose **Add new tag** and enter the tag key and the tag value.
1. Choose **Create**.
**To create an endpoint service using the command line**
+ [create-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint-service-configuration.html) (AWS CLI)
+ [New-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell)
## Make your endpoint service available to service consumers
AWS principals can connect to your endpoint service privately by creating an interface VPC endpoint. Service providers must do the following to make their services available to service consumers.
+ Add permissions that allow each service consumer to connect to your endpoint service. For more information, see [Manage permissions](configure-endpoint-service.md#add-remove-permissions).
+ Provide the service consumer with the name of your service and the supported Availability Zones so that they can create an interface endpoint to connect to your service. For more information, see [Connect to an endpoint service as the service consumer](#connect-to-endpoint-service).
+ Accept the endpoint connection request from the service consumer. For more information, see [Accept or reject connection requests](configure-endpoint-service.md#accept-reject-connection-requests).
## Connect to an endpoint service as the service consumer
A service consumer uses the following procedure to create an interface endpoint to connect to your endpoint service.
**To create an interface endpoint using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoints**.
1. Choose **Create endpoint**.
1. For **Type**, choose **Endpoint services that use NLBs and GWLBs**.
1. For **Service name**, enter the name of the service (for example, `com.amazonaws.vpce.us-east-1.vpce-svc-0e123abc123198abc`), and then choose **Verify service**.
1. (Optional) To connect to an endpoint service that is available in a Region other than the endpoint Region, select **Service Region**, **Enable Cross Region endpoint**, and then select the Region. For more information, see [Cross-Region access](privatelink-share-your-services.md#endpoint-service-cross-region).
1. For **VPC**, select the VPC from which you'll access the endpoint service.
1. For **Subnets**, select the subnets in which to create endpoint network interfaces.
1. For **IP address type**, choose from the following options:
+ **IPv4** – Assign IPv4 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges and the endpoint service accepts IPv4 requests.
+ **IPv6** – Assign IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets and the endpoint service accepts IPv6 requests.
+ **Dualstack** – Assign both IPv4 and IPv6 addresses to the endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges and the endpoint service accepts both IPv4 and IPv6 requests.
1. For **DNS record IP type**, choose from the following options:
+ **IPv4** – Create A records for the private, Regional, and zonal DNS names. The IP address type must be **IPv4** or **Dualstack**.
+ **IPv6** – Create AAAA records for the private, Regional, and zonal DNS names. The IP address type must be **IPv6** or **Dualstack**.
+ **Dualstack** – Create A and AAAA records for the private, Regional, and zonal DNS names. The IP address type must be **Dualstack**.
+ **Service defined** – Create A records for the private, Regional, and zonal DNS names and AAAA records for the Regional and zonal DNS names. The IP address type must be **Dualstack**.
1. For **Security group**, select the security groups to associate with the endpoint network interfaces.
1. Choose **Create endpoint**.
**To create an interface endpoint using the command line**
+ [create-vpc-endpoint](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint.html) (AWS CLI)
+ [New-EC2VpcEndpoint](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpoint.html) (Tools for Windows PowerShell)
# Configure an endpoint service
After you create an endpoint service, you can update its configuration.
**Topics**
+ [
## Manage permissions
](#add-remove-permissions)
+ [
## Accept or reject connection requests
](#accept-reject-connection-requests)
+ [
## Manage load balancers
](#associate-load-balancer)
+ [
## Associate a private DNS name
](#associate-private-dns-name)
+ [
## Modify the supported Regions
](#manage-supported-regions)
+ [
## Modify the supported IP address types
](#supported-ip-address-types)
+ [
## Manage tags
](#add-remove-endpoint-service-tags)
## Manage permissions
The combination of permissions and acceptance settings help you control which service consumers (AWS principals) can access your endpoint service. For example, you can grant permissions to specific principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.
By default, your endpoint service is not available to service consumers. You must add permissions that allow specific AWS principals to create an interface VPC endpoint to connect to your endpoint service. To add permissions for an AWS principal, you need its Amazon Resource Name (ARN). The following list includes example ARNs for supported AWS principals.ARNs for AWS principals
AWS account (includes all principals in the account)
arn:aws:iam::*account\$1id*:root
Role
arn:aws:iam::*account\$1id*:role/*role\$1name*
User
arn:aws:iam::*account\$1id*:user/*user\$1name*
All principals in all AWS accounts
\$1
**Considerations**
+ If you grant everyone permission to access the endpoint service and configure the endpoint service to accept all requests, your load balancer will be public even if it has no public IP address.
+ If you remove permissions, it does not affect existing connections between the endpoint and the service that were previously accepted.
**To manage permissions for your endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service and choose the **Allow principals** tab.
1. To add permissions, choose **Allow principals**. For **Principals to add**, enter the ARN of the principal. To add another principal, choose **Add principal**. When you are finished adding principals, choose **Allow principals**.
1. To remove permissions, select the principal and choose **Actions**, **Delete**. When prompted for confirmation, enter **delete** and then choose **Delete**.
**To add permissions for your endpoint service using the command line**
+ [modify-vpc-endpoint-service-permissions](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-permissions.html) (AWS CLI)
+ [Edit-EC2EndpointServicePermission](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2EndpointServicePermission.html) (Tools for Windows PowerShell)
## Accept or reject connection requests
The combination of permissions and acceptance settings help you control which service consumers (AWS principals) can access your endpoint service. For example, you can grant permissions to specific principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.
You can configure your endpoint service to accept connection requests automatically. Otherwise, you must accept or reject them manually. If you do not accept a connection request, the service consumer can't access your endpoint service.
If you grant everyone permission to access the endpoint service and configure the endpoint service to accept all requests, your load balancer will be public even if it has no public IP address.
You can receive a notification when a connection request is accepted or rejected. For more information, see [Receive alerts for endpoint service events](create-notification-endpoint-service.md).
**To modify the acceptance setting using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Modify endpoint acceptance setting**.
1. Select or clear **Acceptance required**.
1. Choose **Save changes**
**To modify the acceptance setting using the command line**
+ [modify-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-configuration.html) (AWS CLI)
+ [Edit-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell)
**To accept or reject a connection request using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. From the **Endpoint connections** tab, select the endpoint connection.
1. To accept the connection request, choose **Actions**, **Accept endpoint connection request**. When prompted for confirmation, enter **accept** and then choose **Accept**.
1. To reject the connection request, choose **Actions**, **Reject endpoint connection request**. When prompted for confirmation, enter **reject** and then choose **Reject**.
**To accept or reject a connection request using the command line**
+ [accept-vpc-endpoint-connections](https://docs.aws.amazon.com/cli/latest/reference/ec2/accept-vpc-endpoint-connections.html) or [reject-vpc-endpoint-connections](https://docs.aws.amazon.com/cli/latest/reference/ec2/reject-vpc-endpoint-connections.html) (AWS CLI)
+ [Approve-EC2EndpointConnection](https://docs.aws.amazon.com/powershell/latest/reference/items/Approve-EC2EndpointConnection.html) or [Deny-EC2EndpointConnection](https://docs.aws.amazon.com/powershell/latest/reference/items/Deny-EC2EndpointConnection.html) (Tools for Windows PowerShell)
## Manage load balancers
You can manage the load balancers that are associated with your endpoint service. You can't disassociate a load balancer if there are endpoints connected to your endpoint service.
If you enable another Availability Zone for your load balancers, the Availability Zone will appear under the **Load Balancers** tab on the **Endpoint services** page. However, it won't be enabled for the endpoint service or listed in the **Details** tab of your endpoint service on the AWS Management Console. You need to enable the endpoint service for the new Availability Zone.
It might take a few minutes for the load balancer’s Availability Zone to be ready for your endpoint service. If you are using an automation, we recommend that you add a wait in your automation process before you enable the endpoint service for the new Availability Zone.
**To manage the load balancers for your endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Associate or disassociate load balancers**.
1. Change the endpoint service configuration as needed. For example:
+ Select the check box for a load balancer to associate it with the endpoint service.
+ Clear the check box for a load balancer to disassociate it from the endpoint service. You must keep at least one load balancer selected.
1. Choose **Save changes**
The endpoint service will be enabled for any new Availability Zones you added to your load balancer. The new Availability Zone is listed under the **Load Balancers** tab and the **Details** tab of the endpoint service.
After you enable an Availability Zone for the endpoint service, service consumers can add a subnet from that Availability Zone to their interface VPC endpoints.
**To manage the load balancers for your endpoint service using the command line**
+ [modify-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-configuration.html) (AWS CLI)
+ [Edit-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell)
To enable the endpoint service in an Availability Zone that was recently enabled for the load balancer, simply call the command with the ID of the endpoint service.
## Associate a private DNS name
You can associate a private DNS name with your endpoint service. After you associate a private DNS name, you must update the entry for the domain on your DNS server. Before service consumers can use the private DNS name, the service provider must verify that they own the domain. For more information, see [Manage DNS names](manage-dns-names.md).
**To modify an endpoint service private DNS name using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Modify private DNS name**.
1. Select **Associate a private DNS name with the service** and enter the private DNS name.
+ Domain names must use lowercase.
+ You can use wildcards in domain names (for example, **\$1.myexampleservice.com**).
1. Choose **Save changes**.
1. The private DNS name is ready for use by service consumers when the verification status is **verified**. If the verification status changes, new connection requests are denied but existing connections are not affected.
**To modify an endpoint service private DNS name using the command line**
+ [modify-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-configuration.html) (AWS CLI)
+ [Edit-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell)
**To initiate the domain verification process using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Verify domain ownership for private DNS name**.
1. When prompted for confirmation, enter **verify** and then choose **Verify**.
**To initiate the domain verification process using the command line**
+ [start-vpc-endpoint-service-private-dns-verification](https://docs.aws.amazon.com/cli/latest/reference/ec2/start-vpc-endpoint-service-private-dns-verification.html) (AWS CLI)
+ [Start-EC2VpcEndpointServicePrivateDnsVerification](https://docs.aws.amazon.com/powershell/latest/reference/items/Start-EC2VpcEndpointServicePrivateDnsVerification.html) (Tools for Windows PowerShell)
## Modify the supported Regions
You can modify the set of supported Regions for your endpoint service. Before you can add an opt-in Region, you must opt in. You can't remove the Region that hosts your endpoint service.
After you remove a Region, service consumers can't create new endpoints that specify it as the service Region. Removing a Region doesn't affect existing endpoints that specify it as the service Region. When you remove a Region, we recommend that you reject any existing endpoint connections from that Region.
**To modify the supported Regions for your endpoint service**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Modify supported Regions**.
1. Select and deselect Regions as needed.
1. Choose **Save changes**.
## Modify the supported IP address types
You can change the IP address types that are supported by your endpoint service.
**Consideration**
To enable your endpoint service to accept IPv6 requests, its Network Load Balancers must use the dualstack IP address type. The targets do not need to support IPv6 traffic. For more information, see [IP address type](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html#ip-address-type) in the *User Guide for Network Load Balancers*.
**To modify the supported IP address types using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the VPC endpoint service.
1. Choose **Actions**, **Modify supported IP address types**.
1. For **Supported IP address types**, do one of the following:
+ Select **IPv4** – Enable the endpoint service to accept IPv4 requests.
+ Select **IPv6** – Enable the endpoint service to accept IPv6 requests.
+ Select **IPv4** and **IPv6** – Enable the endpoint service to accept both IPv4 and IPv6 requests.
1. Choose **Save changes**.
**To modify the supported IP address types using the command line**
+ [modify-vpc-endpoint-service-configuration](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpc-endpoint-service-configuration.html) (AWS CLI)
+ [Edit-EC2VpcEndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/Edit-EC2VpcEndpointServiceConfiguration.html) (Tools for Windows PowerShell)
## Manage tags
You can tag your resources to help you identify them or categorize them according to your organization's needs.
**To manage tags for your endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the VPC endpoint service.
1. Choose **Actions**, **Manage tags**.
1. For each tag to add, choose **Add new tag** and enter the tag key and tag value.
1. To remove a tag, choose **Remove** to the right of the tag key and value.
1. Choose **Save**.
**To manage tags for your endpoint connections using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the VPC endpoint service and then choose the **Endpoint connections** tab.
1. Select the endpoint connection and then choose **Actions**, **Manage tags**.
1. For each tag to add, choose **Add new tag** and enter the tag key and tag value.
1. To remove a tag, choose **Remove** to the right of the tag key and value.
1. Choose **Save**.
**To manage tags for your endpoint service permissions using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the VPC endpoint service and then choose the **Allow principals** tab.
1. Select the principal and then choose **Actions**, **Manage tags**.
1. For each tag to add, choose **Add new tag** and enter the tag key and tag value.
1. To remove a tag, choose **Remove** to the right of the tag key and value.
1. Choose **Save**.
**To add and remove tags using the command line**
+ [create-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-tags.html) and [delete-tags](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-tags.html) (AWS CLI)
+ [New-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2Tag.html) and [Remove-EC2Tag](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2Tag.html) (Tools for Windows PowerShell)
# Manage DNS names for VPC endpoint services
Service providers can configure private DNS names for their endpoint services. Suppose that a service provider makes their service available through a public endpoint and as an endpoint service. If the service provider uses the DNS name of the public endpoint as the private DNS name of the endpoint service, then service consumers can access the public endpoint or the endpoint service using the same client application, without modification. If a request comes from the service consumer VPC, the private DNS servers resolve the DNS name to the IP addresses of the endpoint network interfaces. Otherwise, the public DNS servers resolve the DNS name to the public endpoint.
Before you can configure a private DNS name for your endpoint service, you must prove that you own the domain by performing a domain ownership verification check.
**Considerations**
+ An endpoint service can have only one private DNS name.
+ When the consumer creates an interface endpoint to connect to your service, we create a private hosted zone and associate it with the service consumer VPC. We create a CNAME record in the private hosted zone that maps the private DNS name of the endpoint service to the regional DNS name of the VPC endpoint. When a consumer sends a request to the public DNS name of the service, the private DNS servers resolve the request to the IP addresses of the endpoint network interfaces.
+ To verify a domain, you must have a public hostname or a public DNS provider.
+ You can verify the domain of a subdomain. For example, you can verify *example.com*, instead of *a.example.com*. Each DNS label can have up to 63 characters and the whole domain name must not exceed a total length of 255 characters.
If you add an additional subdomain, you must verify the subdomain, or the domain. For example, let's say you had *a.example.com*, and verified *example.com*. You now add *b.example.com* as a private DNS name. You must verify *example.com* or *b.example.com* before service consumers can use the name.
+ Private DNS names are not supported for Gateway Load Balancer endpoints.
## Domain ownership verification
Your domain is associated with a set of domain name service (DNS) records that you manage through your DNS provider. A TXT record is a type of DNS record that provides additional information about your domain. It consists of a name and a value. As part of the verification process, you must add a TXT record to the DNS server for your public domain.
Domain ownership verification is complete when we detect the existence of the TXT record in your domain's DNS settings.
After you add a record, you can check the status of the domain verification process using the Amazon VPC console. In the navigation pane, choose **Endpoint services**. Select the endpoint service and check the value of **Domain verification status** in the **Details** tab. If domain verification is pending, wait a few minutes and refresh the screen. If needed, you can initiate the verification process manually. Choose **Actions**, **Verify domain ownership for private DNS name**.
The private DNS name is ready for use by service consumers when the verification status is **verified**. If the verification status changes, new connection requests are denied but existing connections are not affected.
If the verification status is **failed**, see [Troubleshoot domain verification issues](#troubleshoot-domain-verification).
## Get the name and value
We provide you with the name and value that you use in the TXT record. For example, the information is available in the AWS Management Console. Select the endpoint service and see **Domain verification name** and **Domain verification value** on the **Details** tab for the endpoint service. You can also use the following [describe-vpc-endpoint-service-configurations](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-vpc-endpoint-service-configurations.html) AWS CLI command to retrieve information about the configuration of the private DNS name for the specified endpoint service.
```
aws ec2 describe-vpc-endpoint-service-configurations \
--service-ids vpce-svc-071afff70666e61e0 \
--query ServiceConfigurations[*].PrivateDnsNameConfiguration
```
The following is example output. You'll use `Value` and `Name` when you create the TXT record.
```
[
{
"State": "pendingVerification",
"Type": "TXT",
"Value": "vpce:l6p0ERxlTt45jevFwOCp",
"Name": "_6e86v84tqgqubxbwii1m"
}
]
```
For example, suppose that your domain name is *example.com* and that `Value` and `Name` are as shown in the preceding example output. The following table is an example of the TXT record settings.
| Name | Type | Value |
| --- | --- | --- |
| \$16e86v84tqgqubxbwii1m.example.com | TXT | vpce:l6p0ERxlTt45jevFwOCp |
We suggest that you use `Name` as the record subdomain because the base domain name might already be in use. However, if your DNS provider does not allow DNS record names to contain underscores, you can omit the "\$16e86v84tqgqubxbwii1m" and simply use "example.com" in the TXT record.
After we verify "\$16e86v84tqgqubxbwii1m.example.com", service consumers can use "example.com" or a subdomain (for example, "service.example.com" or "my.service.example.com").
## Add a TXT record to your domain's DNS server
The procedure for adding TXT records to your domain's DNS server depends on who provides your DNS service. Your DNS provider might be Amazon Route 53 or another domain name registrar.
### Amazon Route 53
Create a record for your public hosted zone using a simple routing policy. Use the following values:
+ For **Record name** enter the domain or subdomain.
+ For **Record type**, choose **TXT**.
+ For **Value/Route traffic to**, enter the domain verification value.
+ For **TTL (seconds)**, enter **1800**.
For more information, see [Create records using the console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) in the *Amazon Route 53 Developer Guide*.
### General procedure
Go to the website for your DNS provider and sign in to your account. Find the page to update the DNS records for your domain. Add a TXT record with the name and value that we provided. It can take up to 48 hours for DNS record updates to take effect, but they often take effect much sooner.
For more specific directions, consult the documentation from your DNS provider. The following table provides links to the documentation for several common DNS providers. This list is not intended to be comprehensive, nor is it intended as a recommendation of the products or services provided by these companies.
| DNS/Hosting provider | Documentation link |
| --- | --- |
| GoDaddy | [Add a TXT record](https://www.godaddy.com/help/add-a-txt-record-19232) |
| Dreamhost | [Adding custom DNS records](https://help.dreamhost.com/hc/en-us/articles/360035516812-Adding-custom-DNS-records) |
| Cloudflare | [Manage DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) |
| HostGator | [Manage DNS Records with HostGator/eNom](https://www.hostgator.com/help/article/manage-dns-records-with-hostgatorenom) |
| Namecheap | [How do I add TXT/SPF/DKIM/DMARC records for my domain?](https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain/) |
| Names.co.uk | [Changing your domain's DNS settings](https://www.names.co.uk/support/articles/changing-your-domains-dns-settings/) |
| Wix | [Adding or Updating TXT Records in Your Wix Account](https://support.wix.com/en/article/adding-or-updating-txt-records-in-your-wix-account) |
## Check whether the TXT record is published
You can verify that your private DNS name domain ownership verification TXT record is published correctly to your DNS server using the following steps. You'll run the **nslookup** command, which is available for Windows and Linux.
You'll query the DNS servers that serve your domain because those servers contain the most up-to-date information for your domain. Your domain information takes time to propagate to other DNS servers.
**To verify that your TXT record is published to your DNS server**
1. Find the name servers for your domain using the following command.
```
nslookup -type=NS example.com
```
The output lists the name servers that serve your domain. You'll query one of these servers in the next step.
1. Verify that the TXT record is correctly published using the following command, where *name\$1server* is one of the name servers that you found in the previous step.
```
nslookup -type=TXT _6e86v84tqgqubxbwii1m.example.com name_server
```
1. In the output of the previous step, verify that the string that follows `text =` matches the TXT value.
In our example, if the record is correctly published, the output includes the following.
```
1. _6e86v84tqgqubxbwii1m.example.com text = "vpce:l6p0ERxlTt45jevFwOCp"
```
## Troubleshoot domain verification issues
If the domain verification process fails, the following information can help you troubleshoot issues.
+ Check whether your DNS provider allows underscores in TXT record names. If your DNS provider does not allow underscores, you can omit the domain verification name (for example, "\$16e86v84tqgqubxbwii1m") from the TXT record.
+ Check whether your DNS provider appended the domain name to the end of the TXT record. Some DNS providers automatically append the name of your domain to the attribute name of the TXT record. To avoid this duplication of the domain name, add a period to the end of the domain name when you create the TXT record. This tells your DNS provider that it isn't necessary to append the domain name to the TXT record.
+ Check whether your DNS provider modified the DNS record value to use only lowercase letters. We verify your domain only when there is a verification record with an attribute value that exactly matches the value that we provided. If the DNS provider changed your TXT record values to use only lowercase letters, contact them for assistance.
+ You might need to verify your domain more than once because you're supporting multiple Regions or multiple AWS accounts. If your DNS provider doesn't allow you to have more than one TXT record with the same attribute name, check whether your DNS provider allows you to assign multiple attribute values to the same TXT record. For example, if your DNS is managed by Amazon Route 53, you can use the following procedure.
1. In the Route 53 console, choose the TXT record that you created when you verified your domain in the first Region.
1. For **Value**, go to the end of the existing attribute value, and then press Enter.
1. Add the attribute value for the additional Region, and then save the record set.
If your DNS provider doesn't allow you to assign multiple values to the same TXT record, you can verify the domain once with the value in the attribute name of the TXT record, and one other time with the value removed from the attribute name. However, you can only verify the same domain two times.
# Receive alerts for endpoint service events
You can create a notification to receive alerts for specific events related to your endpoint service. For example, you can receive an email when a connection request is accepted or rejected.
**Topics**
+ [
## Create an SNS notification
](#create-sns-notification-endpoint-service)
+ [
## Add an access policy
](#add-access-policy-endpoint-service)
+ [
## Add a key policy
](#add-key-policy-endpoint-service)
## Create an SNS notification
Use the following procedure to create an Amazon SNS topic for the notifications and subscribe to the topic.
**To create a notification for an endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. From the **Notifications** tab, choose **Create notification**.
1. For **Notification ARN**, choose the ARN for the SNS topic that you created.
1. To subscribe to an event, select it from **Events**.
+ **Connect** – The service consumer created the interface endpoint. This sends a connection request to the service provider.
+ **Accept** – The service provider accepted the connection request.
+ **Reject** – The service provider rejected the connection request.
+ **Delete** – The service consumer deleted the interface endpoint.
1. Choose **Create notification**.
**To create a notification for an endpoint service using the command line**
+ [create-vpc-endpoint-connection-notification](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-endpoint-connection-notification.html) (AWS CLI)
+ [New-EC2VpcEndpointConnectionNotification](https://docs.aws.amazon.com/powershell/latest/reference/items/New-EC2VpcEndpointConnectionNotification.html) (Tools for Windows PowerShell)
## Add an access policy
Add an access policy to the SNS topic that allows AWS PrivateLink to publish notifications on your behalf, such as the following. For more information, see [How do I edit my Amazon SNS topic's access policy?](https://repost.aws/knowledge-center/sns-edit-topic-access-policy) Use the `aws:SourceArn` and `aws:SourceAccount` global condition keys to protect against the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpce.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:topic-name",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:ec2:us-east-1:111111111111:vpc-endpoint-service/service-id"
},
"StringEquals": {
"aws:SourceAccount": "111111111111"
}
}
}
]
}
```
------
## Add a key policy
If you're using encrypted SNS topics, the resource policy for the KMS key must trust AWS PrivateLink to call AWS KMS API operations. The following is an example key policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vpce.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:111111111111:key/key-id",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:ec2:us-east-1:111111111111:vpc-endpoint-service/service-id"
},
"StringEquals": {
"aws:SourceAccount": "111111111111"
}
}
}
]
}
```
------
# Delete an endpoint service
When you are finished with an endpoint service, you can delete it. You can't delete an endpoint service if there are any endpoints connected to the endpoint service that are in the `available` or `pending-acceptance` state.
Deleting an endpoint service does not delete the associated load balancer and does not affect the application servers registered with the load balancer target groups.
**To delete an endpoint service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Endpoint services**.
1. Select the endpoint service.
1. Choose **Actions**, **Delete endpoint services**.
1. When prompted for confirmation, enter **delete** and then choose **Delete**.
**To delete an endpoint service using the command line**
+ [delete-vpc-endpoint-service-configurations](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc-endpoint-service-configurations.html) (AWS CLI)
+ [Remove-EC2EndpointServiceConfiguration](https://docs.aws.amazon.com/powershell/latest/reference/items/Remove-EC2EndpointServiceConfiguration.html) (Tools for Windows PowerShell)