AWS PrivateLink

With PrivateLink, you can connect your Vercel deployments to AWS-hosted backend services over a private connection, without exposing traffic to the public internet. Get started by creating a PrivateLink connection.

• Connect privately to AWS-hosted databases such as Amazon RDS, Aurora, Neon, or Redshift
• Connect to SaaS services that expose a PrivateLink endpoint (e.g. Snowflake, MongoDB Atlas, Confluent)
• Access internal services exposed through an AWS Network Load Balancer
• Connect to S3 or DynamoDB without traversing the public internet
• Meet security and compliance requirements (SOC 2, HIPAA, GDPR) that prohibit public network exposure

PrivateLink only connects to services that have published an AWS PrivateLink endpoint service. If your backend is on-premises, in another cloud, or hasn't been exposed via PrivateLink, use Static IPs with allowlisting or Secure Compute with VPC peering / VPN instead.

When you create a PrivateLink connection, Vercel:

• Provisions a dedicated VPC endpoint in the shared Secure Compute network for your team, in every Availability Zone supported by the target service
• Routes all outbound traffic to that service through the endpoint, keeping it on the AWS private network
• Issues a Vercel-managed DNS name for the connection that is consistent across regions, e.g. *.<service>.team_<id>.endpoints.vercel.com
• Assigns a dedicated AWS IAM role to your team that the service provider can allowlist as a connection principal
• Tracks data transfer per connection so you can see usage broken down by service

Both deployed function traffic and build traffic can route through PrivateLink connections, with the same configuration model as Static IPs.

• Interface Endpoints — used for most services exposed behind an AWS Network Load Balancer
• Gateway Endpoints — used for Amazon S3 and DynamoDB

Gateway Load Balancer Endpoints and Resource Endpoints are not currently supported.

Follow these steps to create your first PrivateLink connection.

Before you start, confirm you have:

• A Vercel project on a team with Advanced Networking enabled
• An AWS PrivateLink endpoint service you can connect to — either one that accepts all principals, or one where an IAM role ARN can be added to the allowlist
• The service name (for example com.amazonaws.vpce.<region>.vpce-svc-…) and AWS Region from the provider

1. Create the connection in Vercel

   1. Navigate to Settings → Networking → Advanced Networking → AWS PrivateLink
   2. Click New Connection
   3. Enter the service name from the provider and choose the region
   4. Optionally, you can enable Private DNS to resolve to a private DNS name generated by Vercel from your deployments.

2. Verify traffic

   Redeploy your project and confirm requests to the backend succeed over the PrivateLink connection.

PrivateLink connections are region-specific and do not apply to Routing Middleware, which runs at the edge.

Interface endpoints on shared networks cannot use the provider's private hosted zone DNS. Vercel gives each connection a stable hostname under your team's private hosted zone:

<service>.team_<team-id>.endpoints.vercel.com

Use that hostname instead of the AWS-generated vpce-…vpce.amazonaws.com name or the provider's public hostname. The hostname is consistent across regions.

Assigning a PrivateLink connection to a project applies to all environments in that project. Per-environment scoping is not supported.

• Each PrivateLink connection exists in a single AWS region. Create one connection per region when you need multi-region access.
• Vercel shared networks run across the Availability Zones Vercel supports in each region, so connections work with services regardless of which zones they expose.
• Pick regions close to your provider to reduce latency.

• Interface endpoints: For most services behind an AWS Network Load Balancer
• Gateway endpoints: For Amazon S3 and DynamoDB

Gateway Load Balancer endpoints and resource endpoints are not supported.

• Provider private DNS is not available on shared networks. Use the Vercel-managed DNS hostname.
• Isolation: Each connection is dedicated to your team, but the underlying VPC is shared with other customers. For full isolation, use Secure Compute.
• Services must publish an AWS PrivateLink endpoint service and allowlist your team's IAM role.
• Project-level configuration: You cannot limit a connection to a single deployment environment inside a project.
• Endpoint types: Only interface endpoints and gateway endpoints are supported.