Private DNS names for endpoint services - Amazon Virtual Private Cloud

Private DNS names for endpoint services

When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that you can use to communicate with the service. These names include the VPC endpoint ID, the Availability Zone name and Region Name, for example, By default, your consumers access the service with that DNS name and usually need to modify the application configuration.

If the endpoint service is for an AWS service, or a service available in the AWS Marketplace, there is a default DNS name. For other services, the service provider can configure a private DNS name so consumers can access the service using an existing DNS name without making changes to their applications. For more information, see VPC endpoint services (AWS PrivateLink).

Service providers can specify a private DNS name for a new endpoint service, or an existing endpoint service. To use a private DNS name, enable the feature, and then specify a private DNS name. Before consumers can use the private DNS name, you must verify that you have control of the domain/subdomain. You can initiate domain ownership verification using the Amazon VPC Console or API. After the domain ownership verification completes, consumers access the endpoint by using the private DNS name.


In order to verify the domain, you need to have a public hosted name, or a public DNS provider.

Private DNS names are not supported for endpoint services that you create for Gateway Load Balancer endpoints.

The high-level procedure is as follows:

  1. Add a private DNS name. For more information, see Creating a VPC endpoint service configuration for interface endpoints or Modifying an existing endpoint service private DNS name.

  2. Note the Domain verification value and Domain verification name that you need for the DNS server records. For more information, see Viewing endpoint service private DNS name configuration.

  3. Add a record to the DNS server. For more information, see VPC endpoint service private DNS name verification.

  4. Verify the private DNS name. For more information, see Manually initiating the endpoint service private DNS name domain verification.

You can manage the verification process by using the Amazon VPC console or the Amazon VPC API.

Domain name verification considerations

Make note of the following important points about domain ownership verification:

  • A consumer can only use the private DNS name to access the endpoint service when the verification status is verified.

  • If the verification status changes from verified to pendingVerification, or failed, existing consumer connections remain, but any new connection requests are denied.


    For service providers who are concerned about connections to endpoint services that are no longer in the verified state, we recommend that you use DescribeVpcEndpoints to periodically check the verification state. We recommend that you perform this check at least one time per day.

  • An endpoint service can only have one private DNS name.

  • You can specify a private DNS name for a new endpoint service, or an existing endpoint service.

  • You can only use public domain name servers.

  • You can use wildcards in domain names, for example, "*".

  • You must perform a separate domain ownership verification check for each endpoint service.

  • You can verify the domain of a subdomain. For example, you can verify, instead of As specified in RFC 1034, each DNS label can have up to 63 characters and the whole domain name must not exceed a total length of 255 characters.

    If you add an additional subdomain, you must verify the subdomain, or the domain. For example, let's say you had, and verified You now add as a private DNS name. You must verify or before your consumers can use the name.

  • Domain names must be lower-cased.