Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Using InterfaceVPCEndpoint is awkward for custom PrivateLink connections

See original GitHub issue
  • I’m submitting a …

    • 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.
  • What is the current behavior?

Using InterfaceVPCEndpoint seems oriented toward creating endpoints for AWS-managed services. This makes it awkward to use for connecting to custom VPC Endpoint Services. Specifically:

  1. The privateDNSEnabled: true default doesn’t work for custom VPC Endpoint services outside of AWS Marketplace. service does not provide a private DNS name.

  2. Getting the primary DNS name (i.e. the DNS entry that points to other AZs) is challenging. Something like this does not work:

this.baseLambdaFunction = new lambda.Function(this, 'Resource', {
    runtime: props.runtime,
    handler: props.handler,
    code: lambda.Code.asset(props.zipPath),
    vpc: props.vpc,
    environment: {
        MY_SERVICE_HOST: vpcEndpoint.vpcDNSEntries[0] // => "#{Token[TOKEN.24]}"
    memorySize: props.memorySize,

Instead, getting that value requires several Cfn functions:

const firstEntry =, endpoint.attrDnsEntries);
const entryParts = cdk.Fn.split(':', firstEntry);
const primaryDNSName =, entryParts);
  1. The current service property expects one port which is presumptuous because services can listen on many ports.
  • What is the expected behavior (or behavior of feature suggested)?

It may be the case that the intended use of InterfaceVPCEndpoint may be different enough from connecting to custom VPC Endpoint Services to warrant a new class. I don’t have any good names but maybe CustomVPCEndpoint. This new construct would address the 3 issues noted above.

At the least, it would be nice if InterfaceVPCEndpoint had a primaryDNSName method so that users don’t need to know the exact format of this Cfn value to get a DNS name.

  • What is the motivation / use case for changing the behavior or adding this feature?

Make using custom PrivateLink connections with CDK more convenient.

  • Please tell us about your environment:

    • CDK CLI Version: 1.3.0
    • Module Version: 1.3.0
    • OS: OSX Mojave
    • Language: TypeScript

Issue Analytics

  • State:open
  • Created 4 years ago
  • Reactions:3
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

flemjame-at-amazoncommented, Jun 4, 2020

@mitchlloyd the private DNS portion is fixed as of

dlantscommented, Mar 28, 2022

I ran into this while trying to set up privatelink for ElasticSearch Cloud

It seems that ElasticSearch did not set up a default dns, so privateDnsEnabled does not work for the service. Instead you have to create your own private hostedZone with a Cname that maps * to your private endpoint dns.

Naively, I attempted:

    const hostedZone = new route53.PrivateHostedZone(
        zoneName: "",
        vpc: myVpc,

    new route53.CnameRecord(this, "ElasticSearchRecord", {
      zone: hostedZone,
      recordName: "*",
      domainName: endpoint.vpcEndpointDnsEntries[0]

This failed with:

| CREATE_FAILED        | AWS::Route53::RecordSet
[RRSet of type CNAME with DNS name * does not contain exactly one resource record.]

Replacing the CnameRecord declaration with:

    const firstEntry =, endpoint.vpcEndpointDnsEntries);
    const entryParts = cdk.Fn.split(':', firstEntry);
    const primaryDNSName =, entryParts);

    new route53.CnameRecord(this, "ElasticSearchRecord", {
      zone: hostedZone,
      recordName: "*",
      domainName: primaryDNSName


Read more comments on GitHub >

github_iconTop Results From Across the Web

class InterfaceVpcEndpoint (construct) · AWS CDK
The subnets in which to create an endpoint network interface. service. Type: IInterfaceVpcEndpointService. The service to use for this interface VPC endpoint.
Read more >
What is an Interface VPC Endpoint and how can I ... - YouTube
We appreciate your feedback: more details in the AWS Knowledge Center: ...
Read more >
Connect to Dynatrace using AWS PrivateLink
The interface VPC Endpoint (PrivateLink) must be created in the VPC that's located in the same region as the Dynatrace environment. However, you...
Read more >
Securely Access Services Over AWS PrivateLink - Awsstatic
for Amazon VPC-to-VPC connectivity using AWS PrivateLink. ... interface VPC endpoint in their Amazon VPC and not over public facing AWS endpoints.
Read more >
Create an AWS PrivateLink connection to Confluent Cloud
This networking option is popular for its unique combination of security and simplicity. The following diagram summarizes the AWS PrivateLink architecture with ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found