temporalio · lukeknep · May 12, 2026 · May 12, 2026 · May 14, 2026 · May 15, 2026
@@ -33,9 +33,17 @@ After creating the PrivateLink endpoint, configure your clients to use it throug
 
 ## Requirements
 
-Your AWS PrivateLink endpoint must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PL connection must be in the same region as one of the replicas.
+* Your AWS PrivateLink (PL) endpoint must be in the same region as your Temporal Cloud Namespace. If the Namespace is using [replication for High Availability](/cloud/high-availability), the PL connection must be in the same region as one of the replicas.
+  See [cross-region PrivateLink connectivity](#cross-region-privatelink) to access the Namespace from a different region.
+* Your Private DNS must be configured to direct Worker / Client traffic to your VPC Endpoint, as described below.
+* If the Worker / Client is not using the Namespace Endpoint, it may need to set the `server_name` config to the Namespace Endpoint string, as described below.
 
-AWS Cross Region endpoints are not supported.
+### Cross-region PrivateLink Connectivity {#cross-region-privatelink}
+
+Temporal Cloud does **not** support [cross-region connectivity for AWS PrivateLink](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/) out of the box. However, if you need to reach Temporal Cloud privately from a different region than your Namespace, you can route traffic to your VPC Endpoint in the Namespace's region using [AWS's native cross-region networking features]((https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html#cross-region-endpoint-access)). 
+
+
+When using High Availability on Temporal Cloud, it's best practice to have two VPC Endpoints, one in each of the Namespace's regions, to ensure at least one VPC Endpoint is accessible during a regional outage.
 
 ## Creating an AWS PrivateLink connection
 
@@ -58,7 +66,7 @@ Individual Namespaces do not use separate services.
 
 :::
 
-<JsonTable filename="/json/privatelink_aws.json" />
+<JsonTable filename="/json/privatelink_services_aws.json" />
 
 7. Confirm your service by clicking on the _Verify service_ button. AWS should respond "Service name verified."
 
@@ -111,7 +119,7 @@ This approach is **optional**; Temporal Cloud works without it. It simply stream
 | Endpoint type      | PHZ domain format                  | Example                                |
 | ------------------ | ---------------------------------- | -------------------------------------- |
 | Namespace endpoint | `<namespace-id>.tmprl.cloud`       | `payments.abcde.tmprl.cloud`           |
-| Regional endpoint  | `<cloud>-<region>.region.tmprl.cloud` | `aws-ap-northeast-2.region.tmprl.cloud` |
+| Regional endpoint  | `<region>.<cloud>.api.temporal.io` | `ap-northeast-2.aws.api.temporal.io` |
 
 ### Step-by-step instructions
 
@@ -203,12 +211,14 @@ For single-region Namespaces, you can avoid creating DNS records for each Namesp
 
 With this approach, new Namespaces do not require new DNS records.
 
-:::warning Not compatible with High Availability Namespaces
+:::caution Extra care needed for Namespaces with High Availability
+
+Direct VPCE targeting bypasses the Temporal-managed DNS CNAME that normally routes a Namespace to its active region, so each Worker is pinned to whichever VPC Endpoint you configure. To keep both regions reachable, you must run Workers in each region and configure them with **different endpoints**:
+
+- Workers in the primary region: the local VPC Endpoint for that region (e.g., `vpce-...-us-east-1.vpce.amazonaws.com:7233`).
+- Workers in the replica region: the local VPC Endpoint for that region (e.g., `vpce-...-us-west-2.vpce.amazonaws.com:7233`).
 
-This approach does not work for Namespaces with High Availability features.
-HA Namespaces rely on Temporal's public DNS CNAME records to route traffic to the active region during failover.
-If you bypass DNS, your Workers cannot follow the CNAME to the new region.
-For HA Namespaces, use [private DNS](#configuring-private-dns-for-aws-privatelink) instead.
+All Workers require the same SNI override — the Namespace Endpoint value (e.g., `my-namespace.my-account.tmprl.cloud`).
 
 :::
 

@@ -38,7 +38,9 @@ If you use GCP Private Service Connect, you must manually update your workers to
 
 ## Requirements
 
-Your GCP Private Service Connect connection must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PSC connection must be in the same region as one of the replicas.
+* Your GCP Private Service Connect endpoint must be in the same region as your Temporal Cloud namespace. If using [replication for High Availability](/cloud/high-availability), the PSC connection must be in the same region as one of the replicas.
+* Your Private DNS must be configured to direct Worker / Client traffic to your PSC endpoint, as described below.
+* If the Worker / Client is not using the Namespace Endpoint, it may need to set the `server_name` config to the Namespace Endpoint string, as described below.
 
 ## Creating a Private Service Connect connection
 
@@ -131,7 +133,7 @@ This approach is **optional**; Temporal Cloud works without it. It simply stream
 | ------------------------------------------ | ---------------------------------- | ---------------------------------------------- |
 | Single-region namespace with mTLS auth     | `<account>.tmprl.cloud`            | `payments.abcde.tmprl.cloud` ↔ `X.X.X.X`       |
 | Single-region namespace with API-key auth  | `<cloud_provider>.api.temporal.io` | `us-central1.gcp.api.temporal.io` ↔ `X.X.X.X`  |
-| Multi-region namespace | `region.tmprl.cloud`               | `gcp-us-central1.region.tmprl.cloud` ↔ `X.X.X.X` |
+| Multi-region namespace | `<cloud_provider>.api.temporal.io` | `us-central1.gcp.api.temporal.io` ↔ `X.X.X.X` |
 
 ### Step-by-step instructions
 
@@ -152,7 +154,7 @@ Save the internal IP -- you will point the A record at it.
 1. Open _Network Services → Cloud DNS → Create zone_.
 2. Select zone type **Private**.
 3. Enter a **Zone name** (e.g., `temporal-cloud`).
-4. Enter a **DNS name** based on the table above (e.g., `payments.abcde.tmprl.cloud` or `aws-us-east-1.region.tmprl.cloud`).
+4. Enter a **DNS name** based on the table above (e.g., `payments.abcde.tmprl.cloud` or `us-east-1.aws.api.temporal.io`).
 5. Select **Add networks** and choose the Project and Network that contains your PSC endpoint.
 6. Click **Create**.
 

@@ -223,7 +223,7 @@ The TLS server name override depends on your authentication method:
 | -------------- | ---------------------- |
 | mTLS (single-region Namespace) | The Namespace Endpoint, e.g. `my-namespace.my-account.tmprl.cloud` |
 | API key (single-region Namespace) | The regional API endpoint, e.g. `us-east-1.aws.api.temporal.io` or `us-central1.gcp.api.temporal.io` |
-| Multi-region Namespace (mTLS or API key) | The active region endpoint, e.g. `aws-us-east-1.region.tmprl.cloud` |
+| Multi-region Namespace (mTLS or API key) | The active region endpoint, e.g. `us-east-1.aws.api.temporal.io` |
 
 If you authenticate with an API key over PrivateLink/PSC and use the wrong server name, the TLS handshake will fail with errors such as `connection reset by peer` even though `nc` reports the port as open.
 

@@ -37,3 +37,9 @@ If you have to allowlist IP ranges, you must allowlist the entire cloud provider
 - [GCP IP address ranges](https://www.gstatic.com/ipranges/cloud.json)
 
 :::
+
+:::note Don't depend on DNS resolution behavior
+
+Take a dependency on Temporal's published endpoints (the hostnames themselves), not on what they resolve to. The underlying IP addresses, CNAME chains, and resolution behavior can change at any time without notice. The **only** exception is the Namespace Endpoint for a Namespace with [High Availability features](/cloud/high-availability), which deterministically CNAMEs to its active region's regional record — see [Connectivity for High Availability](/cloud/high-availability/ha-connectivity) for details.
+
+:::
@@ -98,6 +98,12 @@ Temporal Cloud expresses the active replica through DNS:
 
 Namespace DNS records have a 15-second TTL. Clients should converge to the new region within roughly 30 seconds (about twice the TTL) once their resolver cache expires.
 
+:::note Deterministic DNS behavior is unique to HA Namespace Endpoints
+
+This is the **only** place in Temporal Cloud where you can depend on Temporal-managed DNS to behave in a specific, deterministic way — a Namespace Endpoint on an HA Namespace CNAMEing to its active region's regional record. Everywhere else, take a dependency on Temporal's published endpoints (the hostnames themselves), not on what they resolve to. The underlying IP addresses, CNAME chains, and resolution behavior of non-HA endpoints can change at any time without notice.
+
+:::
+
 For private connectivity, your job is to make sure that:
 
 - Override the Regional Endpoint's DNS zone to resolve to a VPC Endpoint.
@@ -108,19 +114,20 @@ For private connectivity, your job is to make sure that:
 ### How Namespace DNS records work with PrivateLink
 
 When using PrivateLink, you connect to Temporal Cloud through a VPC Endpoint, which uses addresses local to your network.
-Temporal treats each `region.<tmprl_domain>` as a separate zone.
-This setup allows you to override the default zone, ensuring that traffic is routed internally for the regions you're using.
+Temporal treats each `region.tmprl.cloud` zone as a separate zone, so you override resolution per region — this routes traffic to your VPC Endpoint internally for the regions you're using.
 
 A Namespace's active region is reflected in the target of the Namespace Endpoint's CNAME record.
 For example, if the active region of a Namespace is AWS us-east-1, the DNS configuration would look like this:
 
-| ha-namespace.account-id.tmprl.cloud | CNAME | aws-us-east-1.region.tmprl.cloud |
-| ----------------------------------- | ----- | -------------------------------- |
+| Record name                         | Record type | Value                              |
+| ----------------------------------- | ----------- | ---------------------------------- |
+| ha-namespace.account-id.tmprl.cloud | CNAME       | aws-us-east-1.region.tmprl.cloud   |
 
 After a failover, the CNAME record is updated to point to the failover region, for example:
 
-| ha-namespace.account-id.tmprl.cloud | CNAME | aws-us-west-2.region.tmprl.cloud |
-| ----------------------------------- | ----- | -------------------------------- |
+| Record name                         | Record type | Value                              |
+| ----------------------------------- | ----------- | ---------------------------------- |
+| ha-namespace.account-id.tmprl.cloud | CNAME       | aws-us-west-2.region.tmprl.cloud   |
 
 The Temporal domain did not change, but the CNAME updated from us-east-1 to us-west-2.
 
@@ -141,7 +148,7 @@ In AWS, use a Route 53 private hosted zone for `region.tmprl.cloud` to override
 
 Link the private zone to every VPC where Workers run.
 
-When your Workers connect to the Namespace, they first resolve `<ns>.<account>.tmprl.cloud`, which CNAMEs to `<aws-active-region>.region.tmprl.cloud`, which then resolves to your local VPC Endpoint.
+When your Workers connect to the Namespace, they first resolve `<ns>.<account>.tmprl.cloud`, which CNAMEs to `aws-<active-region>.region.tmprl.cloud`, which then resolves to your local VPC Endpoint.
 
 You also need to decide how Workers reach whichever region becomes active. Either:
 
@@ -182,17 +189,6 @@ If you run Workers on Alpine and use multi-cloud HA, either:
 
 :::
 
-To set up the DNS override, configure specific regions to target the internal VPC Endpoint IP addresses.
-For example, you might set `aws-us-west-1.region.tmprl.cloud` to target `192.168.1.2`.
-In AWS, this can be done using a Route 53 private hosted zone for `region.tmprl.cloud`.
-Link that private zone to the VPCs you use for Workers.
-
-A reasonable validation plan:
-
-Consider how you'll configure Workers for this setup.
-You can either have Workers run in both regions continuously or establish connectivity between regions using Transit Gateway or VPC Peering.
-Either approach ensures Workers can access the newly activated region once failover occurs.
-
 ### Available regions, PrivateLink endpoints, and DNS record overrides
 
 :::caution

@@ -1,7 +1,7 @@
 ### Asia Pacific - Tokyo (`ap-northeast-1`)
 
 - **Cloud API Code**: `aws-ap-northeast-1`
-- **Regional Endpoint**: `aws-ap-northeast-1.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-northeast-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-1.vpce-svc-08f34c33f9fb8a48a`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -16,7 +16,7 @@
 ### Asia Pacific - Seoul (`ap-northeast-2`)
 
 - **Cloud API Code**: `aws-ap-northeast-2`
-- **Regional Endpoint**: `aws-ap-northeast-2.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-northeast-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-northeast-2.vpce-svc-08c4d5445a5aad308`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -31,7 +31,7 @@
 ### Asia Pacific - Mumbai (`ap-south-1`)
 
 - **Cloud API Code**: `aws-ap-south-1`
-- **Regional Endpoint**: `aws-ap-south-1.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-south-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-1.vpce-svc-0ad4f8ed56db15662`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -46,7 +46,7 @@
 ### Asia Pacific - Hyderabad (`ap-south-2`)
 
 - **Cloud API Code**: `aws-ap-south-2`
-- **Regional Endpoint**: `aws-ap-south-2.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-south-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-south-2.vpce-svc-08bcf602b646c69c1`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -61,7 +61,7 @@
 ### Asia Pacific - Singapore (`ap-southeast-1`)
 
 - **Cloud API Code**: `aws-ap-southeast-1`
-- **Regional Endpoint**: `aws-ap-southeast-1.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-southeast-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-1.vpce-svc-05c24096fa89b0ccd`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -76,7 +76,7 @@
 ### Asia Pacific - Sydney (`ap-southeast-2`)
 
 - **Cloud API Code**: `aws-ap-southeast-2`
-- **Regional Endpoint**: `aws-ap-southeast-2.region.tmprl.cloud`
+- **Regional Endpoint**: `ap-southeast-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0634f9628e3c15b08`
 - **Same Region Replication**: Available
 - **Multi-Region Replication**:
@@ -91,7 +91,7 @@
 ### Europe - Frankfurt (`eu-central-1`)
 
 - **Cloud API Code**: `aws-eu-central-1`
-- **Regional Endpoint**: `aws-eu-central-1.region.tmprl.cloud`
+- **Regional Endpoint**: `eu-central-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-central-1.vpce-svc-073a419b36663a0f3`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -103,7 +103,7 @@
 ### Europe - Ireland (`eu-west-1`)
 
 - **Cloud API Code**: `aws-eu-west-1`
-- **Regional Endpoint**: `aws-eu-west-1.region.tmprl.cloud`
+- **Regional Endpoint**: `eu-west-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-1.vpce-svc-04388e89f3479b739`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -115,7 +115,7 @@
 ### Europe - London (`eu-west-2`)
 
 - **Cloud API Code**: `aws-eu-west-2`
-- **Regional Endpoint**: `aws-eu-west-2.region.tmprl.cloud`
+- **Regional Endpoint**: `eu-west-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.eu-west-2.vpce-svc-0ac7f9f07e7fb5695`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -128,7 +128,7 @@
 
 - **Cloud API Code**: `aws-ca-central-1`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.ca-central-1.vpce-svc-080a781925d0b1d9d`
-- **Regional Endpoint**: `aws-ca-central-1.region.tmprl.cloud`
+- **Regional Endpoint**: `ca-central-1.aws.api.temporal.io:7233`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
   - `aws-us-east-1`
@@ -142,7 +142,7 @@
 ### North America - Northern Virginia (`us-east-1`)
 
 - **Cloud API Code**: `aws-us-east-1`
-- **Regional Endpoint**: `aws-us-east-1.region.tmprl.cloud`
+- **Regional Endpoint**: `us-east-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-1.vpce-svc-0822256b6575ea37f`
 - **Same Region Replication**:  Available
 - **Multi-Region Replication**:
@@ -157,7 +157,7 @@
 ### North America - Ohio (`us-east-2`)
 
 - **Cloud API Code**: `aws-us-east-2`
-- **Regional Endpoint**: `aws-us-east-2.region.tmprl.cloud`
+- **Regional Endpoint**: `us-east-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-east-2.vpce-svc-01b8dccfc6660d9d4`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**:
@@ -172,7 +172,7 @@
 ### North America - Oregon (`us-west-2`)
 
 - **Cloud API Code**: `aws-us-west-2`
-- **Regional Endpoint**: `aws-us-west-2.region.tmprl.cloud`
+- **Regional Endpoint**: `us-west-2.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.us-west-2.vpce-svc-0f44b3d7302816b94`
 - **Same Region Replication**:  Available
 - **Multi-Region Replication**:
@@ -187,7 +187,7 @@
 ### South America - São Paulo (`sa-east-1`)
 
 - **Cloud API Code**: `aws-sa-east-1`
-- **Regional Endpoint**: `aws-sa-east-1.region.tmprl.cloud`
+- **Regional Endpoint**: `sa-east-1.aws.api.temporal.io:7233`
 - **PrivateLink Endpoint Service**: `com.amazonaws.vpce.sa-east-1.vpce-svc-0ca67a102f3ce525a`
 - **Same Region Replication**:  Not Available
 - **Multi-Region Replication**: