---
title: AWS PrivateLink
product: vercel
url: /docs/networking/privatelink
canonical_url: "https://vercel.com/docs/networking/privatelink"
last_updated: 2026-05-06
type: reference
prerequisites:
  - /docs/networking
related:
  - /docs/networking/static-ips
  - /docs/networking/secure-compute
  - /docs/projects
  - /docs/routing-middleware
  - /docs/glossary
summary: Connect Vercel deployments to AWS-hosted backends through AWS PrivateLink without using the public internet.
install_vercel_plugin: npx plugins add vercel/vercel-plugin
---

# AWS PrivateLink

With PrivateLink, you can connect your Vercel deployments to AWS-hosted backend services over a private connection, without exposing traffic to the public internet. [Get started](#getting-started) by creating a PrivateLink connection.

## When to use PrivateLink

- Connect privately to AWS-hosted databases such as Amazon RDS, Aurora, Neon, or Redshift
- Connect to SaaS services that expose a PrivateLink endpoint (e.g. Snowflake, MongoDB Atlas, Confluent)
- Access internal services exposed through an AWS Network Load Balancer
- Connect to S3 or DynamoDB without traversing the public internet
- Meet security and compliance requirements (SOC 2, HIPAA, GDPR) that prohibit public network exposure

## When not to use PrivateLink

PrivateLink only connects to services that have published an AWS PrivateLink endpoint service. If your backend is on-premises, in another cloud, or hasn't been exposed via PrivateLink, use [Static IPs](/docs/networking/static-ips) with allowlisting or Secure Compute with [VPC peering](/docs/networking/secure-compute#vpc-peering) / [VPN](/docs/networking/secure-compute#vpn-support) instead.

## How it works

When you create a PrivateLink connection, Vercel:

- **Provisions a dedicated VPC endpoint** in the shared Secure Compute network for your team, in every Availability Zone supported by the target service
- **Routes all outbound traffic** to that service through the endpoint, keeping it on the AWS private network
- **Issues a Vercel-managed DNS name** for the connection that is consistent across regions, e.g. `*.<service>.team_<id>.endpoints.vercel.com`
- **Assigns a dedicated AWS IAM role** to your team that the service provider can allowlist as a connection principal
- **Tracks data transfer per connection** so you can see usage broken down by service

Both deployed function traffic and build traffic can route through PrivateLink connections, with the same configuration model as Static IPs.

### Supported endpoint types

- **Interface Endpoints** — used for most services exposed behind an AWS Network Load Balancer
- **Gateway Endpoints** — used for Amazon S3 and DynamoDB

Gateway Load Balancer Endpoints and Resource Endpoints are not currently supported.

## Getting started

Follow these steps to create your first PrivateLink connection.

### Prerequisites

Before you start, confirm you have:

- A [Vercel project](/docs/projects) on a team with **Advanced Networking** enabled
- An AWS PrivateLink endpoint service you can connect to — either one that accepts all principals, or one where an IAM role ARN can be added to the allowlist
- The **service name** (for example `com.amazonaws.vpce.<region>.vpce-svc-…`) and **AWS Region** from the provider

- ### Create the connection in Vercel
  1. Navigate to **Settings** → [**Networking**](https://vercel.com/d?to=%2F%5Bteam%5D%2F%7E%2Fsettings%2Fnetworking%23static-ips\&title=Networking) → **Advanced Networking** → **AWS PrivateLink**
  2. Click **New Connection**
  3. Enter the **service name** from the provider and choose the **region**
  4. Optionally, you can enable Private DNS to resolve to a private DNS name generated by Vercel from your deployments.

- ### Verify traffic
  Redeploy your project and confirm requests to the backend succeed over the PrivateLink connection.

## Managing PrivateLink

### Routing Middleware support

PrivateLink connections are region-specific and do not apply to [Routing Middleware](/docs/routing-middleware), which runs at the [edge](/docs/glossary#edge).

### DNS

Interface endpoints on shared networks cannot use the provider's private hosted zone DNS. Vercel gives each connection a stable hostname under your team's private hosted zone:

```
<service>.team_<team-id>.endpoints.vercel.com
```

Use that hostname instead of the AWS-generated `vpce-…vpce.amazonaws.com` name or the provider's public hostname. The hostname is consistent across regions.

### PrivateLink with deployment environments

Assigning a PrivateLink connection to a project applies to all environments in that project. Per-environment scoping is not supported.

### Regional considerations

- Each PrivateLink connection exists in a single AWS region. Create one connection per region when you need multi-region access.
- Vercel shared networks run across the Availability Zones Vercel supports in each region, so connections work with services regardless of which zones they expose.
- Pick regions close to your provider to reduce latency.

### Supported endpoint types

- **Interface endpoints**: For most services behind an AWS Network Load Balancer
- **Gateway endpoints**: For Amazon S3 and DynamoDB

Gateway Load Balancer endpoints and resource endpoints are not supported.

## Limitations

- **Provider private DNS** is not available on shared networks. Use the Vercel-managed DNS hostname.
- **Isolation**: Each connection is dedicated to your team, but the underlying VPC is shared with other customers. For full isolation, use Secure Compute.
- **Services** must publish an AWS PrivateLink endpoint service and allowlist your team's IAM role.
- **Project-level configuration**: You cannot limit a connection to a single deployment environment inside a project.
- **Endpoint types**: Only interface endpoints and gateway endpoints are supported.


---

[View full sitemap](/docs/sitemap)