Gateway Load Balancer endpoints (AWS PrivateLink)
A Gateway Load Balancer endpoint enables you to intercept traffic and route it to a service that you've configured using Gateway Load Balancers, for example, for security inspection. The owner of the service is the service provider, and you, as the principal creating the Gateway Load Balancer endpoint, are the service consumer.
The following are the general steps for setting up a Gateway Load Balancer endpoint:
-
Ensure that a Gateway Load Balancer endpoint service is configured. For more information, see VPC endpoint services for Gateway Load Balancer endpoints.
-
Choose the VPC in which to create the Gateway Load Balancer endpoint, and provide the name of the service.
-
Choose a subnet in your VPC to use the Gateway Load Balancer endpoint. We create an endpoint network interface in the subnet. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the Gateway Load Balancer endpoint is deleted.
Note An endpoint network interface is a requester-managed network interface. You can view it in your account, but you cannot manage it yourself. For more information, see Requester-managed network interfaces.
You can specify only one subnet for the Gateway Load Balancer endpoint. You cannot change the subnet later.
-
After you create the Gateway Load Balancer endpoint, it's available to use when it's accepted by the service provider. The service provider can configure the service to accept requests automatically or manually.
-
Configure your subnet route table and gateway route table to point traffic to the Gateway Load Balancer endpoint. For more information, see Routing to a Gateway Load Balancer endpoint in the Amazon VPC User Guide.
Contents
Gateway Load Balancer endpoint properties and limitations
To use a Gateway Load Balancer endpoint, be aware of the following:
-
For each Gateway Load Balancer endpoint, you can choose only one Availability Zone (subnet) in your VPC. You cannot change the subnet later. To use a Gateway Load Balancer endpoint in a different subnet, create a new Gateway Load Balancer endpoint in that subnet. You can create a single Gateway Load Balancer endpoint per Availability Zone for a service.
-
Each Gateway Load Balancer endpoint supports a maximum bandwidth of up to 40 Gbps.
-
If the network ACL for your subnet restricts traffic, you might not be able to send traffic through the Gateway Load Balancer endpoint. Ensure that you add appropriate rules that allow traffic to and from the CIDR block of the subnet.
-
Security groups are not supported.
-
Endpoint policies are not supported.
-
A service might not be available in all Availability Zones through a Gateway Load Balancer endpoint. To find out which Availability Zones are supported, use the describe-vpc-endpoint-services command or use the Amazon VPC console. For more information, see Create a Gateway Load Balancer endpoint.
-
When you create a Gateway Load Balancer endpoint, the endpoint is created in the Availability Zone that is mapped to your account and that is independent from other accounts. When the service provider and the consumer are in different accounts, use the Availability Zone ID to uniquely and consistently identify the endpoint Availability Zone. For example,
use1-az1
is an Availability Zone ID for theus-east-1
Region and maps to the same location in every AWS account. For information about Availability Zone IDs, see AZ IDs for Your Resources in the AWS RAM User Guide or use describe-availability-zones. -
To keep traffic within the same Availability Zone, we recommend that you create a Gateway Load Balancer endpoint in each Availability Zone that you will send traffic to.
-
Endpoints are supported within the same Region only. You cannot create an endpoint between a VPC and a service in a different Region.
-
Endpoints support IPv4 traffic only.
-
You cannot transfer an endpoint from one VPC to another, or from one service to another.
-
You have a quota on the number of endpoints you can create per VPC. For more information, see AWS PrivateLink quotas.
Gateway Load Balancer endpoint lifecycle
A Gateway Load Balancer endpoint goes through various stages, starting from when you create it (the endpoint connection request). At each stage, there might be actions that the service consumer and service provider can take.

The following rules apply:
-
A service provider can configure their service to accept Gateway Load Balancer endpoint requests automatically or manually.
-
A service provider cannot delete a Gateway Load Balancer endpoint to their service. Only the service consumer that requested the connection can delete the Gateway Load Balancer endpoint.
-
A service provider can reject the Gateway Load Balancer endpoint after it has been accepted and is in the
available
state.
Pricing for Gateway Load Balancer endpoints
You are charged for creating and using a Gateway Load Balancer endpoint to a service.
Hourly usage rates and
data processing rates apply. For more information, see AWS PrivateLink Pricing
Create a Gateway Load Balancer endpoint
To create a Gateway Load Balancer endpoint, you must specify the VPC in which to create the endpoint, and the service to which to establish the connection.
View your Gateway Load Balancer endpoint
After you've created a Gateway Load Balancer endpoint, you can view information about it.
Add or remove tags for a Gateway Load Balancer endpoint
You can add or remove the tags for your Gateway Load Balancer endpoint.