What Is AWS PrivateLink? How It Works and When to Use It

AWS PrivateLink lets you access a specific AWS service or your own private service over the AWS network, without routing traffic through public IP addresses or a NAT Gateway. You create an interface endpoint in your VPC, and traffic flows through the AWS backbone directly to the target service. No internet path involved. Teams use it when they need to lock down service access to a specific endpoint rather than opening broad network-to-network connectivity.

Simple explanation

Without PrivateLink, resources in your private subnets reach AWS services like SSM or Secrets Manager by routing through a NAT Gateway to the service’s public IP. PrivateLink removes that path. Instead, an interface endpoint sits directly in your own subnet: it is a network interface with a private IP address. Traffic flows from your resource to the endpoint, then through AWS’s private infrastructure to the service.

🔌

Think of it as a private direct line to one specific office. Instead of going through a public post office, you have a dedicated connection that goes straight there. The line is one-way: you can reach the service through it, but the service cannot initiate connections back into your VPC.

The most important thing to understand before going further: PrivateLink gives private access to a specific service, not full private network-to-network connectivity. If you need two VPCs to communicate broadly with each other, that is a different problem solved by VPC peering or Transit Gateway.

Why teams use AWS PrivateLink

  • Security and compliance. Regulated workloads (healthcare, financial services, government) often require that service traffic never use public IP addressing. Interface endpoints satisfy this without adding architectural complexity.
  • Private access from private subnets. Resources in private subnets normally need a NAT Gateway to reach AWS services. Interface endpoints eliminate that dependency for the specific services you configure them for, reducing NAT processing costs and removing a single point of failure for private workloads.
  • Limiting exposure to one service, not a full network path. When you share a service across accounts or VPCs, PrivateLink exposes only that one service endpoint. The consumer cannot see or reach anything else in your VPC. There is no network-level access granted.
  • Overlapping CIDR ranges. If your VPCs have overlapping IP address ranges, VPC peering is not possible. PrivateLink works regardless of CIDR overlap because it operates at the service level, not the network routing level.

How AWS PrivateLink works

PrivateLink has two sides: a consumer and a provider.

  • Consumer: the VPC that wants to access a service. You create an interface endpoint in one or more subnets in your VPC.
  • Provider: the entity exposing the service. For built-in AWS services, AWS is the provider. For your own services, you create an endpoint service backed by a Network Load Balancer in your VPC.

When you create an interface endpoint, AWS deploys an Elastic Network Interface (ENI) into the subnet you specify. That ENI gets a private IP address from your subnet’s CIDR range. Traffic flow once the endpoint is in place:

  1. Your application calls the service using its standard hostname (for example, ssm.us-east-1.amazonaws.com).
  2. If private DNS is enabled on the endpoint, Route 53 Resolver inside your VPC returns the private IP of the endpoint ENI instead of the service’s public IP.
  3. Traffic goes from your resource to the ENI, then through the AWS backbone directly to the service.
  4. No internet gateway and no NAT gateway are in this path.

Interface endpoints have security groups attached to the ENI, just like any other network interface. The security group controls which resources in your VPC can send traffic through the endpoint. For most AWS services, you need an inbound rule allowing HTTPS (port 443) from the instances or services that will use the endpoint.

How private DNS works: When private DNS is enabled, Route 53 Resolver inside your VPC intercepts queries for the service hostname and returns the endpoint’s private IP. Your application code needs no changes at all. It calls the same hostname it always did, and the endpoint handles the routing transparently. For this to work, your VPC must have both DNS resolution and DNS hostnames enabled. This is conceptually similar to how private hosted zones override public DNS resolution inside a VPC.

You can also restrict what actions consumers are allowed to perform through an endpoint using an endpoint policy: an IAM-style resource policy attached to the endpoint itself. By default, endpoints allow all traffic; endpoint policies let you scope that down.

When to use AWS PrivateLink

Choose PrivateLink when:
  • You need to access AWS services from private subnets without routing through a NAT Gateway.
  • You are exposing an internal API privately to other AWS accounts or VPCs without granting broad network access.
  • You are consuming a third-party SaaS service that supports PrivateLink connectivity.
  • Your VPCs have overlapping CIDR ranges that make peering impossible.
  • You want one-way, service-specific access with a clear security boundary between consumer and provider.

A common practical example: enabling Systems Manager Session Manager on EC2 instances in private subnets. Session Manager requires reaching three AWS endpoints: SSM, SSM Messages, and EC2 Messages. Without interface endpoints, your instances need internet access to reach those services. With PrivateLink, everything stays private without adding internet access to private subnets.

Cross-account service sharing is another strong fit. Instead of peering VPCs and exposing entire networks, you put your service behind a Network Load Balancer, create an endpoint service, and let consumers connect through PrivateLink. They reach only your service. Nothing else in your VPC is visible to them.

When not to use AWS PrivateLink

PrivateLink is not the right tool when:
  • You need full bidirectional connectivity between VPCs. PrivateLink is one-way and service-specific. If two applications need to call each other freely across VPCs, VPC peering or Transit Gateway is the right tool.
  • A gateway endpoint is the simpler choice. For S3 or DynamoDB access within the same VPC, gateway endpoints are free, require no ENI, and add no hourly cost. Interface endpoints for those same services cost money per hour and per GB of data processed.
  • You are connecting an on-premises network to AWS. Site-to-Site VPN and Direct Connect solve on-premises-to-cloud connectivity. PrivateLink is not designed for that problem.
  • You need general outbound internet access. PrivateLink covers access to specific services. If your workloads still need to reach arbitrary internet destinations, a NAT Gateway handles that. PrivateLink does not replace it for general traffic.

Interface endpoints vs gateway endpoints

Important distinction: Both are called VPC endpoints, but gateway endpoints for S3 and DynamoDB are not powered by AWS PrivateLink. They use a completely different mechanism and are often confused for PrivateLink because they share the “VPC endpoint” label.

Gateway endpoints work by adding an entry to your route table that intercepts traffic destined for S3 or DynamoDB and redirects it through the gateway rather than through the internet path. No ENI is created. DNS for the service still resolves to a public IP; the route table intercepts the traffic before it can leave your VPC.

PropertyInterface Endpoint (PrivateLink)Gateway Endpoint
Uses PrivateLink?YesNo
MechanismENI with private IP deployed in your subnetRoute table entry (no ENI created)
Services supported100+ AWS services, SaaS partnersS3 and DynamoDB only
CostHourly charge + data processing chargeFree
DNS resolutionReturns private IP of the endpoint ENIPublic DNS still resolves; route table intercepts traffic
Security group controlYes (security groups on the ENI)No (VPC endpoint policy only)
Cross-VPC / cross-accountYesNo (same VPC only)

For S3 and DynamoDB: start with gateway endpoints. They are free, and for single-VPC access they cover almost every use case. Only switch to interface endpoints for S3 or DynamoDB if you specifically need cross-VPC or cross-account private access.

AWS PrivateLink vs VPC Peering vs NAT Gateway

This is the decision most beginners need help making. Each option solves a different connectivity problem.

PrivateLink (Interface Endpoint)VPC PeeringNAT Gateway
Best forPrivate access to one specific serviceFull bidirectional VPC-to-VPC connectivityOutbound internet access from private subnets
Traffic scopeService-specificFull network between two VPCsAll outbound internet traffic
DirectionOne-way: consumer to providerBidirectionalOutbound only (stateful return allowed)
CIDR overlap OK?YesNoN/A
Routing modelDNS-based; ENI in subnet receives trafficRoute table entries pointing to peering connectionRoute table entries pointing to NAT Gateway
CostHourly per endpoint + data processingData transfer only (no hourly charge)Hourly per gateway + data processing
ComplexityLow for AWS services; moderate for custom endpoint servicesLow to moderateLow

The simplest way to choose: if you need to access one specific service privately, use PrivateLink. If two VPCs need broad two-way connectivity and their CIDRs do not overlap, use peering. If workloads need to reach the public internet, use a NAT Gateway. PrivateLink does not replace that path.

Common real-world use cases

Systems Manager access from private subnets

EC2 instances in private subnets cannot reach SSM endpoints without a route to the internet. Creating interface endpoints for ssm, ssmmessages, and ec2messages enables Session Manager and other SSM features to work entirely within the AWS private network.

# Create interface endpoint for SSM
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-0123456789abcdef0 \
  --service-name com.amazonaws.us-east-1.ssm \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-private-1a subnet-private-1b \
  --security-group-ids sg-ssm-endpoint \
  --private-dns-enabled \
  --tag-specifications 'ResourceType=vpc-endpoint,Tags=[{Key=Name,Value=ssm-endpoint}]'

# Repeat for ssmmessages and ec2messages
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-0123456789abcdef0 \
  --service-name com.amazonaws.us-east-1.ssmmessages \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-private-1a subnet-private-1b \
  --security-group-ids sg-ssm-endpoint \
  --private-dns-enabled

aws ec2 create-vpc-endpoint \
  --vpc-id vpc-0123456789abcdef0 \
  --service-name com.amazonaws.us-east-1.ec2messages \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-private-1a subnet-private-1b \
  --security-group-ids sg-ssm-endpoint \
  --private-dns-enabled

Consuming a third-party or cross-account private service

Many SaaS vendors and internal platform teams expose their services via PrivateLink. You create an interface endpoint pointing to their endpoint service name, and all traffic flows privately. The vendor never gains access to your VPC, and you never expose your workloads to their network. CIDR overlap between your VPC and theirs is not a concern.

Exposing your own service to other AWS accounts

Put your service behind a Network Load Balancer, create an endpoint service pointing to the NLB, and share the service name with consumers in other accounts. They create interface endpoints and connect privately. You control who can connect with allow-list entries on the endpoint service, and you can require manual approval for each new consumer.

# Create an endpoint service backed by your NLB
aws ec2 create-vpc-endpoint-service-configuration \
  --network-load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/internal-nlb/abc123 \
  --acceptance-required \
  --tag-specifications 'ResourceType=vpc-endpoint-service,Tags=[{Key=Name,Value=my-endpoint-service}]'

Common mistakes

The most common trap: You create an interface endpoint but forget to enable private DNS. The service hostname still resolves to a public IP, traffic bypasses the endpoint entirely, and you keep paying NAT Gateway charges. Enable private DNS on every interface endpoint, and verify your VPC has both DNS resolution and DNS hostnames turned on. If you see unexpected NAT costs after creating an endpoint, start here.

  1. Private DNS not enabled. Described above. See debugging VPC connectivity for step-by-step diagnosis if traffic is still not routing through the endpoint after creation.
  2. Security group on the endpoint ENI blocks traffic. Interface endpoints have their own security groups, separate from the security groups on your EC2 instances. A common mistake is leaving the endpoint’s security group in a state that denies inbound HTTPS from your instances. The endpoint exists, but traffic is dropped before reaching the service. The endpoint security group needs an inbound rule on port 443 from the resources that will use it.
  3. Using interface endpoints for S3 or DynamoDB when gateway endpoints are free. If you only need S3 or DynamoDB access within the same VPC, gateway endpoints cost nothing. Interface endpoints for those same services accrue an hourly charge plus data processing fees. Create the gateway endpoint first; evaluate interface endpoints only if you hit a cross-VPC or cross-account requirement.
  4. Assuming PrivateLink gives full VPC-to-VPC connectivity. PrivateLink is service-specific and one-way. The consumer gets access to one endpoint; nothing else in the provider VPC is reachable. If two VPCs need broad two-way communication, use VPC peering.
  5. Missing endpoint policies on sensitive services. By default, an interface endpoint allows all traffic to the underlying service. For sensitive services, attach an endpoint policy to restrict which IAM principals can use the endpoint and which actions they can perform. Leaving endpoints open to all actions is a common oversight in compliance-focused environments.

Frequently asked questions

Is AWS PrivateLink the same as a VPC endpoint?

Not exactly. VPC endpoints is the broader category. Interface endpoints are powered by AWS PrivateLink. Gateway endpoints for S3 and DynamoDB are also VPC endpoints, but they use a completely different mechanism: they add a route to your route table and do not use PrivateLink at all. When someone says "PrivateLink," they mean interface endpoints specifically.

When should I use a gateway endpoint instead of an interface endpoint?

For S3 or DynamoDB access from within the same VPC, use gateway endpoints. They are free, require no ENI, and need no security group changes. Only use interface endpoints for S3 or DynamoDB when you need cross-VPC or cross-account private access. That specific use case requires PrivateLink.

Can PrivateLink work with overlapping CIDR ranges?

Yes. This is one of PrivateLink's main advantages over VPC peering. PrivateLink operates at the service level rather than the network level, so overlapping CIDR ranges between consumer and provider VPCs are not a problem. The consumer never needs to know the provider's address space.

Does PrivateLink replace a NAT Gateway?

For specific AWS service calls from private subnets, yes. Interface endpoints eliminate the need for a NAT Gateway for those services. But PrivateLink only covers specific service connections, not general outbound internet traffic. If your workload needs to reach arbitrary internet destinations, a NAT Gateway is still required.

Does PrivateLink work across AWS accounts?

Yes. A service provider creates an endpoint service in their account (backed by a Network Load Balancer). Consumers in other accounts or VPCs create interface endpoints pointing to that endpoint service. The provider can require explicit approval before consumers can connect. Consumer and provider VPCs do not need to be peered.

Last verified: 21 April 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.