I have two VPCs, a consumer VPC and a service VPC. Consumer application HAS to access the service via AWS PrivateLink and it HAS to be an HTTPS call. Here is my current setup, which works:
Note that since this is all on my own single account right now, I can set example.com to point to the VPC Endpoint, and I can add the cert for example.com to the Network Load Balancer. This allows me to call https://example.com from the consumer app and get all the way to the service.
However, in a real world scenario, the two VPCs would not be on the same account. I'm wondering how, in the latter scenario, HTTPS PrivateLink would be accomplished. If the service provider is in control of the domain, how would the consumer point that domain to the VPC endpoint? I found this but can't see the forest for the trees just yet:
Q: How do I make sure my customers can establish HTTPS connections to my service over VPC endpoints?
A: You will need to update your certificates to support wild card DNS names following the name pattern of VPC endpoints. If your service is using Amazon’s DNS names, we will provide you a certificate using Amazon Certificate Management service (ACM). If your service is using your own DNS names, you will need to update the certificate yourself.