Use this guide when your AWS resources and your Coralogix domain are hosted in the same AWS region. This is the primary and recommended PrivateLink configuration.

## Prerequisites

Review the following requirements before creating the PrivateLink endpoint:

- **Amazon S3** - If your integration uses Amazon S3 (for example, Lambda-based ingestion), the VPC must have an [S3 Gateway Endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3) configured.
- **AWS Secrets Manager** - If your Lambda function retrieves secrets at runtime, you must [create an Interface VPC Endpoint](https://aws.amazon.com/blogs/security/how-to-connect-to-aws-secrets-manager-service-within-a-virtual-private-cloud/) for the `com.amazonaws.<region>.secretsmanager` service.

## Set up

### Step 1: Identify the Coralogix service

Determine the correct Coralogix PrivateLink service name for your Coralogix domain using the Coralogix PrivateLink endpoints and deployment page for reference. This service represents the entry point for traffic from your VPC to Coralogix.

### Step 2: Create the Interface VPC endpoint

1. In the AWS Console, navigate to VPC, then Endpoints and select **Create endpoint**.

1. For **Service category**, choose **PrivateLink Ready partner services**.

1. Enter the Coralogix service name and select **Verify service**.

   Expected result:

   If verification fails, contact Coralogix Support.

1. Select the VPC in which to create the endpoint.

### Step 3: Enable private DNS

Select **Enable DNS name** to enable private DNS names for the endpoint. This allows Coralogix private FQDNs (for example, `ingress.private.<your-domain>`) to resolve to the private IP addresses of the endpoint network interfaces (ENIs) inside your VPC.

### Step 4: Configure security groups

Attach a security group that allows inbound TCP traffic on port 443 to the ENIs.

### Step 5: Create endpoint and validate connectivity

Select **Create endpoint**.

The endpoint status initially appears as **Pending**. Once the status changes to **Available**, validate connectivity using one of the following methods.

- Send a test log from a resource within the VPC using [Coralogix REST API /singles](https://coralogix.com/docs/developer-portal/apis/log-ingestion/coralogix-rest-api-singles/)

- From a workload inside the VPC (for example, an EC2 instance), run:

  ```bash
  # example US region
  # telnet ingress.private.us1.coralogix.com
  telnet ingress.private.<region-domain> 443
  ```

## Next steps

If your AWS resources are in a different region than your Coralogix domain, choose one of the following options:

- **Native Cross-Region PrivateLink (recommended)** - Uses AWS-managed cross-region connectivity without VPC peering. Learn more in our [AWS PrivateLink: Cross-Region Connectivity](https://coralogix.com/docs/integrations/aws/aws-privatelink/aws-privatelink-cross-region-connection/) guide.
- **VPC Peering (legacy)** - Uses cross-region VPC peering and manual routing. Learn more in our [AWS PrivateLink: VPC Peering Configuration](https://coralogix.com/docs/integrations/aws/aws-privatelink/aws-privatelink-vpc-peering-configuration/) guide.
- To complete the setup for AWS Lambda, [align the VPC configuration](https://coralogix.com/docs/integrations/aws/aws-privatelink/aws-privatelink-lambda-configuration/) with your Lambda function.