Cross-region enabled Amazon Web Services services - Amazon Virtual Private Cloud
View available Amazon Web Services service namesPermissions and ConsiderationsCreate an interface endpoint to an Amazon Web Services service in another Region
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cross-region enabled Amazon Web Services services

The following Amazon Web Services services integrate with cross Region Amazon PrivateLink. You can create an interface endpoint to connect to these services in another Amazon Region, privately, as if they were running in your own VPC.

Choose the link in the Amazon Web Services service column to see the service documentation. The Service name column contains the service name that you specify when you create the interface endpoint.

Amazon Web Services service Service name
Amazon S3 cn.com.amazonaws.region.s3
Amazon Identity and Access Management (IAM) com.amazonaws.iam
Amazon ECR cn.com.amazonaws.region.ecr.api
cn.com.amazonaws.region.ecr.dkr
Amazon Key Management Service com.amazonaws.region.kms
cn.com.amazonaws.region.kms-fips
Amazon ECS com.amazonaws.region.ecs
Amazon Lambda cn.com.amazonaws.region.lambda
Amazon Data Firehose com.amazonaws.region.kinesis-firehose
Amazon Managed Service for Apache Flink com.amazonaws.region.kinesisanalytics
cn.com.amazonaws.region.kinesisanalytics-fips
Amazon Route 53 com.amazonaws.route53

View available Amazon Web Services service names

You can use the describe-vpc-endpoint-services command to view cross Region enabled services.

The following example displays the Amazon Web Services services that a user in the us-east-1 Region can access over interface endpoints, to the specified (us-west-2) service Region. The --query option limits the output to the service names.

aws ec2 describe-vpc-endpoint-services \
  --filters Name=service-type,Values=Interface Name=owner,Values=amazon \ 
  --region us-east-1 \
  --service-region us-west-2 \
  --query ServiceNames

The following is example output. The complete output is not shown.

[
    "com.amazonaws.us-west-2.ecr.api",
    "com.amazonaws.us-west-2.ecr.dkr",
    "com.amazonaws.us-west-2.ecs",
    "com.amazonaws.us-west-2.ecs-fips",
    ...
    "com.amazonaws.us-west-2.s3"
]
Note

You must use regional DNS. Zonal DNS is not supported when accessing Amazon Web Services services in another Region. For more information, see View and update DNS attributes in the Amazon VPC User Guide.

Permissions and Considerations

  • By default, IAM entities don't have permission to access an Amazon Web Services service in another Region. To grant the permissions required for cross Region access, an IAM administrator can create IAM policies that allow the vpce:AllowMultiRegion permission-only action.

  • Ensure that your Service Control Policy (SCP) does not deny vpce:AllowMultiRegion permission-only action. To use Amazon PrivateLink's cross-region connectivity feature, both your identity policy and your SCP must allow this action.

  • To control the Regions that an IAM entity can specify as a service Region when creating a VPC endpoint, use the ec2:VpceServiceRegion condition key.

  • A service consumer must opt in to an opt-in Region before selecting it as the service Region for an endpoint. Whenever possible, we recommend that service consumers access a service using intra-Region connectivity instead of cross-Region connectivity. Intra-Region connectivity provides lower latency and lower costs.

  • You can use IAM's new aws:SourceVpcArn global condition key to secure which Regions, Amazon Web Services accounts and VPCs your resources can be accessed from. This key helps implement data residency and region based access control.

  • For high availability, create a cross Region enabled interface endpoint in at least two Availability Zones. In this case, providers and consumers are not required to use the same Availability Zones.

  • With cross Region access, Amazon PrivateLink manages failover between Availability Zones in both service and consumer Regions. It does not manage failover across Regions.

  • Cross Region access is not supported for the following Availability Zones: use1-az3, usw1-az2, apne1-az3, apne2-az2, and apne2-az4.

  • You can use Amazon Fault Injection Service to simulate regional events and model failure scenarios for in-region and cross-region enabled interface endpoints. To learn more, see Amazon FIS documentation.

Create an interface endpoint to an Amazon Web Services service in another Region

To create an interface endpoint using the Console, see the Create a VPC endpoint section.

In the CLI, you can use the create-vpc-endpoint command to create a VPC endpoint to an Amazon Web Services service in a different Region. The following example creates an interface endpoint to Amazon S3 in us-west-2 from a VPC in us-east-1.

aws ec2 create-vpc-endpoint \
  --vpc-id vpc-id \ 
  --service-name com.amazonaws.us-west-2.s3 \
  --vpc-endpoint-type Interface \
  --subnet-ids subnet-id-1 subnet-id-2 \ 
  --region us-east-1 \
  --service-region us-west-2