diff --git a/README.md b/README.md
index a0ace60..d263fb6 100644
--- a/README.md
+++ b/README.md
@@ -111,6 +111,10 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | vpc\_dns\_support | Enable or disable the support of the DNS service | `bool` | `true` | no |
 | single\_nat\_gateway | Enable or disable the option to have single NAT Gateway. | `bool` | `false` | no |
 | enable\_nat\_gateway | Enable or disable the creation of the NAT Gateway | `bool` | `true` | no |
+| vpc\_endpoint\_service\_acceptance\_required | (Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false. | `bool` | n/a | yes |
+| vpc\_endpoint\_service\_allowed\_principals | (Optional) The ARNs of one or more principals allowed to discover the endpoint service. | `list(string)` | n/a | yes |
+| network\_load\_balancer\_arns | Describe the ARN(s) of the load balancer(s) to which you want to have access. | `list(string)` | n/a | yes |
+| graphdb\_enable\_private\_access | Enable or disable the private access via PrivateLink to the GraphDB Cluster | `bool` | n/a | yes |
 | ami\_id | (Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user\_supplied\_userdata\_path variable. | `string` | `null` | no |
 | graphdb\_version | GraphDB version | `string` | `"10.6.2"` | no |
 | device\_name | The device to which EBS volumes for the GraphDB data directory will be mapped. | `string` | `"/dev/sdf"` | no |
diff --git a/main.tf b/main.tf
index 924c527..5f34c74 100644
--- a/main.tf
+++ b/main.tf
@@ -7,14 +7,18 @@ module "vpc" {
 
   count = var.create_vpc ? 1 : 0
 
-  resource_name_prefix     = var.resource_name_prefix
-  vpc_dns_hostnames        = var.vpc_dns_hostnames
-  vpc_dns_support          = var.vpc_dns_support
-  vpc_private_subnet_cidrs = var.vpc_private_subnet_cidrs
-  vpc_public_subnet_cidrs  = var.vpc_public_subnet_cidrs
-  vpc_cidr_block           = var.vpc_cidr_block
-  single_nat_gateway       = var.single_nat_gateway
-  enable_nat_gateway       = var.enable_nat_gateway
+  resource_name_prefix                    = var.resource_name_prefix
+  vpc_dns_hostnames                       = var.vpc_dns_hostnames
+  vpc_dns_support                         = var.vpc_dns_support
+  vpc_private_subnet_cidrs                = var.vpc_private_subnet_cidrs
+  vpc_public_subnet_cidrs                 = var.vpc_public_subnet_cidrs
+  vpc_cidr_block                          = var.vpc_cidr_block
+  single_nat_gateway                      = var.single_nat_gateway
+  enable_nat_gateway                      = var.enable_nat_gateway
+  lb_enable_private_access                = var.lb_enable_private_access
+  network_load_balancer_arns              = [module.load_balancer.lb_arn]
+  vpc_endpoint_service_allowed_principals = var.vpc_endpoint_service_allowed_principals
+  accept_vpc_endpoint_connection_requests = var.accept_vpc_endpoint_connection_requests
 }
 
 module "backup" {
@@ -72,10 +76,6 @@ module "monitoring" {
 module "graphdb" {
   source = "./modules/graphdb"
 
-  providers = {
-    aws.main = aws.main
-  }
-
   resource_name_prefix = var.resource_name_prefix
   aws_region           = data.aws_region.current.name
   aws_subscription_id  = data.aws_caller_identity.current.account_id
@@ -89,9 +89,9 @@ module "graphdb" {
   vpc_id                    = module.vpc[0].vpc_id
 
   # Network Load Balancer
-
-  lb_subnets          = var.lb_internal ? module.vpc[0].private_subnet_ids : module.vpc[0].public_subnet_ids
-  graphdb_lb_dns_name = module.load_balancer.lb_dns_name
+  lb_enable_private_access = var.lb_internal ? var.lb_enable_private_access : false
+  lb_subnets               = var.lb_internal ? module.vpc[0].private_subnet_ids : module.vpc[0].public_subnet_ids
+  graphdb_lb_dns_name      = module.load_balancer.lb_dns_name
 
   # Identity
 
@@ -141,4 +141,8 @@ module "graphdb" {
 
   # User data scripts
   deploy_monitoring = var.deploy_monitoring
+
+  providers = {
+    aws.main = aws.main
+  }
 }
diff --git a/modules/graphdb/nsg.tf b/modules/graphdb/nsg.tf
index b65decf..44aedf5 100644
--- a/modules/graphdb/nsg.tf
+++ b/modules/graphdb/nsg.tf
@@ -58,6 +58,8 @@ resource "aws_security_group_rule" "graphdb_network_lb_ingress" {
 }
 
 resource "aws_security_group_rule" "graphdb_lb_healthchecks" {
+  count = var.lb_enable_private_access ? 0 : 1
+
   description       = "Allow the load balancer to healthcheck the GraphDB nodes and access the proxies."
   security_group_id = aws_security_group.graphdb_security_group.id
   type              = "ingress"
diff --git a/modules/graphdb/variables.tf b/modules/graphdb/variables.tf
index 5b047ab..ac2b440 100644
--- a/modules/graphdb/variables.tf
+++ b/modules/graphdb/variables.tf
@@ -221,3 +221,8 @@ variable "ec2_userdata_script" {
   description = "Userdata script for EC2 instance"
   type        = string
 }
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+}
diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf
index 2b29792..83210cb 100644
--- a/modules/load_balancer/variables.tf
+++ b/modules/load_balancer/variables.tf
@@ -83,4 +83,4 @@ variable "lb_tls_policy" {
   description = "TLS security policy on the listener."
   type        = string
   default     = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-}
+}
\ No newline at end of file
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
index dd6df0c..4527b29 100644
--- a/modules/vpc/main.tf
+++ b/modules/vpc/main.tf
@@ -17,10 +17,11 @@ locals {
 # GraphDB VPC
 
 resource "aws_vpc" "graphdb_vpc" {
-
   cidr_block           = var.vpc_cidr_block
   enable_dns_hostnames = var.vpc_dns_hostnames
   enable_dns_support   = var.vpc_dns_support
+
+  tags = local.tags
 }
 
 # GraphDB Internet Gateway
@@ -127,3 +128,13 @@ resource "aws_route_table_association" "graphdb_private_route_table_association"
   route_table_id = aws_route_table.graphdb_private_route_table[count.index].id
   subnet_id      = aws_subnet.graphdb_private_subnet[count.index].id
 }
+
+# GraphDB Private Link Service
+
+resource "aws_vpc_endpoint_service" "graphdb_vpc_endpoint_service" {
+  count = var.lb_enable_private_access ? 1 : 0
+
+  network_load_balancer_arns = var.network_load_balancer_arns
+  acceptance_required        = var.accept_vpc_endpoint_connection_requests
+  allowed_principals         = var.vpc_endpoint_service_allowed_principals
+}
diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf
index 7c5c63d..312e83f 100644
--- a/modules/vpc/variables.tf
+++ b/modules/vpc/variables.tf
@@ -38,4 +38,24 @@ variable "single_nat_gateway" {
 variable "enable_nat_gateway" {
   description = "Enalbe or disable the creation of the NAT Gateway"
   type        = bool
-}
\ No newline at end of file
+}
+
+variable "accept_vpc_endpoint_connection_requests" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+}
+
+variable "network_load_balancer_arns" {
+  description = "Describe the ARN(s) of the load balancer(s) to which you want to have access."
+  type        = list(string)
+}
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+}
diff --git a/variables.tf b/variables.tf
index f6577b5..4e23580 100644
--- a/variables.tf
+++ b/variables.tf
@@ -160,6 +160,24 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
+variable "accept_vpc_endpoint_connection_requests" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+  default     = true
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+  default     = null
+}
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+  default     = false
+}
+
 variable "ami_id" {
   description = "(Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
   type        = string