com.amazonaws.vpce.<region>.vpce-svc-<id>).
This guide covers the most common patterns for making it accessible to your internal teams and workloads.
What was provisioned
The installation creates:- An internal Network Load Balancer (NLB) in your EKS VPC, routing traffic to the OpenAI API pods.
- An AWS VPC Endpoint Service backed by that NLB, enabling PrivateLink-based access from other VPCs or accounts.
Option 1 — Same VPC (simplest)
Use when:- The workloads that need OpenAI API access run in (or have networking access to) the Impala VPC.
- The identities that need OpenAI API access have access to the Impala VPC (via VPC peering or Site-to-Site VPN).
- Retrieve the NLB DNS name from your Impala installation outputs (
openai_privatelink_nlb_dnsor equivalent). - (Optional) Create a Route 53 private hosted zone record in your VPC:
- Type:
CNAME - Name: e.g.
openai.<DOMAIN> - Value: the NLB DNS name
- Type:
- Workloads call
http://openai.<DOMAIN>— done.
Option 2 — Different VPC, same account
Use when: consuming workloads or a corporate VPN terminate in a different VPC within the same AWS account. 2.1 — Add the target region to the endpoint service (only if the consumer VPC is in a different region)- AWS Console → switch to the EKS region → VPC → Endpoint Services.
- Open the
-openaiendpoint service → Allowed regions tab → Allow regions → add your target region.
- VPC → Endpoints → Create endpoint.
- Type: Endpoint services that use NLBs and GWLBs.
- Service name: paste your endpoint service name → Verify.
- VPC: select the consumer VPC.
- Subnets: select private subnets in each AZ where consumers run.
- Security group: allow inbound TCP 80 from the VPC CIDR (or tighter, scoped to specific security groups).
- Leave Enable private DNS unchecked.
- Create the endpoint.
- VPC → Endpoint Services → open the
-openaiservice. - Endpoint connections tab → select the pending request → Actions → Accept.
- Copy the endpoint’s DNS name from VPC → Endpoints → Details.
- In Route 53, open or create a private hosted zone associated with the consumer VPC.
- Add a
CNAMErecord: e.g.openai.<DOMAIN>→ endpoint DNS name.
Option 3 — Different account (cross-account PrivateLink)
Use when: the consuming team or workload is in a separate AWS account (e.g. a shared services account or a partner account). 3.1 — Allow the other account (in the endpoint service’s account)- VPC → Endpoint Services → open the
-openaiservice. - Allow principals tab → Allow principals → add the consumer account root (or scope it to a specific IAM role for tighter control):
Option 4 — Transit Gateway (hub-and-spoke)
Use when: you have multiple VPCs across accounts or regions that all need access, and you want centralized routing rather than creating a consumer endpoint in every VPC. Architecture:- Create the consumer endpoint once in a shared services VPC.
- Attach that VPC to your Transit Gateway.
- All spoke VPCs route traffic to the shared services VPC via the TGW.
- DNS resolves to the endpoint ENI in the shared VPC; traffic is routed through the TGW.
Validating connectivity
Once set up, test from a workload or machine in the consumer VPC:10.x.x.x address and the health check returns 200 OK.
Summary
| Option | Best for | Complexity |
|---|---|---|
| Same VPC | Workloads in the EKS VPC | Low |
| Different VPC, same account | Separate VPCs or VPN in same account | Medium |
| Cross-account | Partner or multi-account orgs | Medium |
| Transit Gateway | Large multi-VPC environments | High |

