Secure Cross-Account API Sharing using AWS PrivateLink
Step by step guide on how to securely share APIs across AWS accounts with PrivateLink to maintain security, boost performance, and reduce costs
Qinjie Zhang
Amazon Employee
Published Mar 26, 2025
Learn how to securely share AWS API endpoints with other accounts using AWS PrivateLink, a feature that enables secure access to AWS resources without exposing public IP addresses or DNS names. By implementing PrivateLink, you'll benefit from enhanced security as your traffic remains entirely within the AWS network, never traversing the public internet. You'll also experience better network performance with low-latency, high-throughput connections between accounts, and potentially reduce data transfer costs by eliminating the need for NAT gateways.
This guide outlines the steps to create an endpoint service in the provider account, add allowed principals, and share the service name with consumer accounts—all while maintaining a private network topology that meets strict security and compliance requirements.
Steps:
- Setup Endpoint Service and Endpoint
- Create Endpoint Service in Provider AWS Account
- Create Endpoint in Consumer AWS Account
- Accept Request in Provider AWS Account
- Test Connection in Consumer AWS Account
- Endpoint with Private DNS Name (Optional)
- Enable Private DNS for Endpoint Service in Provider Account
- Enable Private DNS for Endpoint in Consumer Account
1. Go to "VPC > Endpoint services" and create a new endpoint service.
- Select NLB as the target.
2. Take note of the "Service name" of the endpoint service.
- It is in the format of "com.amazonaws.vpce.ap-southeast-1.vpce-svc-xxxxxxxxxx".
3. Add allowed principals of consumer accounts.
- Use the root user to allow all roles from consumer accounts, e.g., "arn:aws:iam::<ACCOUNT_ID>:root".
4. Share the Service name of your endpoint service and its availability zones with the Consumer Account owner.
1. Go to "VPC > Endpoints" and create a new endpoint.
- Choose "Other endpoint services"
- Paste in the service name and verify the service. (Note: Verification will fail if this consumer account is not added to the allowed principal list in the provider account.)
2. Choose the subnets in which this endpoint will be available and select a security group. Create the endpoint.
3. The newly created endpoint will be in the "Pending acceptance" status until it is accepted by the provider account.
1. Choose the endpoint connection and accept the request.
2. Wait until the state of the Endpoint connection becomes "Available".
1. Take note of one of the DNS names.
2. Use CloudShell or any EC2 instance terminal.
3. The service is currently available through both the private DNS name and the AWS-assigned DNS name.
1. Modify the endpoint service.
- Check "Associate a private DNS name with the service".
- Input a domain name, e.g., "api-svc.intra.chartsinvestor.com".
2. Take note of the domain verification name and verification value.
3. Go to Route 53.
- In the main domain hosted zone, create a TXT record to prove domain ownership.
4. Go to VPC > Endpoint Services.
- Click on "Verify domain ownership for private DNS name" to trigger a domain name verification.
- It will take a few seconds for the "Domain verification status" to be updated.
1. Go to VPC > Endpoints.
- Modify the endpoint by enabling private DNS names.
2. Modify the private DNS name of the endpoint by selecting "Actions > Modify private DNS name".
3. Verify that the private DNS name is the same as the provider's endpoint service, i.e., `api-svc.intra.chartsinvestor.com`.
4. Test it in the consumer account.
- Both private DNS name and the AWS-assigned DNS name should resolve to the same IP address.
Implementing AWS PrivateLink for cross-account API sharing offers a robust solution for organizations seeking secure, high-performance connectivity between AWS accounts. By following the step-by-step process outlined in this guide, you've learned how to establish private connections that keep your traffic within the AWS network, protecting sensitive data from exposure to the public internet.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.