Creating VPC endpoint service with AWS PrivateLink

Hetul Sheth
3 min readSep 23, 2020

Prerequisites for demo:

  1. Two VPCs: Default ( and Custom( e.g. create with CIDR for demo)
  2. Jumpbox/Bastion instance in public subnet of Default VPC ( Security Group: SSH access at port 22 from public internet(
  3. Instance in private subnet of Default VPC ( Security Group : Allows access for SSH only from SG of Bastion host in public subnet)
  4. Network Load Balancer in public subnet of Custom VPC ( keep this internet facing with Listners on TCP port 80)
  5. Instance having a webpage ( at /var/www/html > index.html with some basic HTML page for this demo) in private subnet of Custom VPC ( Security Group : Allow access only from the Private IP of the Network Load Balancer mentioned above for SSH and HTTP( to pass the health check). You can get the private IP of NLB from the Network Interfaces tab from VPC side pane. Just write your NLB name in filter and it will show you private IP of all NLB nodes according the AZ wise spread.
  6. NLB attached to the target group having instances from private subnet of custom VPC.

NOTE: You should also have route tables properly set up for this.

Route table associated with public subnet default vpc should be like:

Route table associated with private subnet default vpc should be like:

Route table associated with private subnet custom vpc should be like:

If you have all this things ready then let’s set the VPC endpoint using AWS PrivateLink

  1. Go to Endpoint Services from VPC console.
  2. Click create endpoint service
  3. Select NLB you created. It will show you the AZ in which your NLB is spreaded in Included Availablity zone
  4. Keep Require Acceptance for Endpoint checked.
  5. Click Create Service. Copy the service name of this, will be required
  6. Now go to Endpoints from VPC console
  7. Click create endpoint > Find service by name > Copy the service name URL which you copied in point 5 > Click verify. Once done successfully you are good to go
  8. Keep default VPC and choose the subnets below. You will only be able to select those which are configured for NLB too. But change the subnet to private ones
  9. Now associate a SG which allows SSH traffic only from Custom VPC CIDR ( i.e. here)
  10. Click create endpoint
  11. Now go to Endpoint service > Endpoint Connection tab. One pending request might be there. Accept that request by going into actions and Accepting it.
  12. Once done you have successfully configured your VPC endpoint private link
  13. To verify lets do a test:
  14. SSH to Bastion > Instance in private subnet of default VPC > curl < DNS name of the endpoint created in step 10.>. If you are successfully able to see your webpage then you have successfully configured private link.



Hetul Sheth

AWS Certified Solutions Architect, Developer and SysOps Admin Associate | Azure Certified