Required VPC endpoints and DNS configuration

AWS Management Console Private Access requires the following two VPC endpoints per Region. Replace region with your own Region information.

1. com.amazonaws.region.console for AWS Management Console

2. com.amazonaws.region.signin for AWS Sign-In

Note

Always provision infrastructure and networking connectivity to the US East (N. Virginia) (us-east-1) Region, regardless of other Regions you use with the AWS Management Console. You can use AWS Transit Gateway to set up connectivity between the US East (N. Virginia) and every other Region. For more information, see Getting started with transit gateways in the Amazon VPC Transit Gateways guide. You can also use Amazon VPC peering. For more information, see What is VPC peering in the Amazon VPC Peering Guide. To compare these options, see Amazon VPC-to-Amazon VPC connectivity options in the Amazon Virtual Private Cloud Connectivity Options whitepaper.

DNS configuration for AWS Management Console and AWS Sign-In

To route your network traffic to respective VPC endpoints, configure DNS records in the network from which your users will be accessing the AWS Management Console. These DNS records will direct your users browser traffic toward the VPC endpoints you created.

You can create a single hosted zone. However, endpoints such as health.aws.amazon.com and docs.aws.amazon.com won't be accessible because they don't have VPC endpoints. You will need to route these domains to the public internet. We recommend that you create two private hosted zones per Region, one for signin.aws.amazon.com and one for console.aws.amazon.com with the following CNAME records:

• Regional CNAME records (in all Regions)

• region.signin.aws.amazon.com pointing to the AWS Sign-In VPC endpoint in the signin DNS zone

• region.console.aws.amazon.com pointing to the AWS Management Console VPC endpoint in the console DNS zone

• Regionless CNAME records for the US East (N. Virginia) Region only. You always have to set up the US East (N. Virginia) Region.

  • signin.aws.amazon.com pointing to AWS Sign-In VPC endpoint in US East (N. Virginia) (us-east-1)

  • console.aws.amazon.com pointing to AWS Management Console VPC endpoint in US East (N. Virginia) (us-east-1)

For instructions on creating a CNAME record, see Working with records in the Amazon Route 53 Developer Guide.

Some AWS consoles, including Amazon S3, use different patterns for their DNS names. The following are two examples:

• support.console.aws.amazon.com

• s3.console.aws.amazon.com

To be able to direct this traffic to your AWS Management Console VPC endpoint, you need to add those names individually. We recommend that you configure routing for all endpoints for a fully private experience. However, this isn't required to use AWS Management Console Private Access.

The following json files contain the full list of AWS services and console endpoints to configure per Region. Use the PrivateIpv4DnsNames field under the com.amazonaws.region.console endpoint for the DNS names.

• https://configuration.private-access.console.amazonaws.com/us-east-1.config.json

• https://configuration.private-access.console.amazonaws.com/us-east-2.config.json

• https://configuration.private-access.console.amazonaws.com/us-west-2.config.json

• https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json

• https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json

• https://configuration.private-access.console.amazonaws.com/il-central-1.config.json

Note

This list is updated each month as we add additional endpoints to the scope of AWS Management Console Private Access. To keep your private hosted zones updated, periodically pull the preceding list of files.

If you use Route 53 to configure your DNS, go to https://console.aws.amazon.com/route53/v2/hostedzones# to verify the DNS setup. For each Private Hosted Zone in Route 53, verify that the following record sets are present.

• console.aws.amazon.com

• signin.aws.amazon.com

• region.console.aws.amazon.com

• region.signin.aws.amazon.com

• support.console.aws.amazon.com

• global.console.aws.amazon.com

• Additional records present in the previously listed JSON files

VPC endpoints and DNS configuration for AWS services

The AWS Management Console calls AWS services through a combination of direct browser requests and requests that are proxied by web servers. To direct this traffic to your AWS Management Console VPC endpoint, you must add the VPC endpoint and configure DNS for each dependent AWS service.

The following json files list the AWS PrivateLink supported AWS services that are available for you to use. If a service doesn't integrate with AWS PrivateLink, it isn't included in these files.

• https://configuration.private-access.console.amazonaws.com/us-east-1.config.json

• https://configuration.private-access.console.amazonaws.com/us-east-2.config.json

• https://configuration.private-access.console.amazonaws.com/us-west-2.config.json

• https://configuration.private-access.console.amazonaws.com/eu-west-1.config.json

• https://configuration.private-access.console.amazonaws.com/ap-southeast-1.config.json

• https://configuration.private-access.console.amazonaws.com/il-central-1.config.json

Use the ServiceName field for the corresponding service’s VPC endpoint to add to your VPC.

Note

We update this list each month as we add support for AWS Management Console Private Access to more service consoles. To stay current, periodically pull the preceding list of files and update your VPC endpoints.