diff --git a/api/api.go b/api/api.go
index fa08237d6..1e3f25cc8 100644
--- a/api/api.go
+++ b/api/api.go
@@ -117,11 +117,15 @@ func RunAPIServer() {
 	server.ConfigureAPI()
 	// API server host list
 	server.Host = options.Opts.Host
-	server.TLSHost = options.Opts.TLSHost
-	server.TLSCertificateKey = options.Opts.TLSCertificateKey
-	server.TLSCertificate = options.Opts.TLSCertificate
 	server.Port = options.Opts.Port
-	server.TLSPort = options.Opts.TLSPort
+
+	if options.Opts.TLS {
+		server.TLSHost = options.Opts.TLSHost
+		server.TLSCertificateKey = options.Opts.TLSCertificateKey
+		server.TLSCertificate = options.Opts.TLSCertificate
+		server.TLSPort = options.Opts.TLSPort
+	}
+
 	api.ServerShutdown = func() {
 		waitApiServerShutOk()
 		os.Exit(0)
diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go
index 2feb987a6..2b2aec0f6 100644
--- a/pkg/loxinet/rules.go
+++ b/pkg/loxinet/rules.go
@@ -276,6 +276,7 @@ type ruleEnt struct {
 	sT       time.Time
 	iTo      uint32
 	act      ruleAct
+	privIP   net.IP
 	secIP    []ruleNatSIP
 	stat     ruleStat
 	name     string
@@ -1443,6 +1444,7 @@ func (R *RuleH) AddNatLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg,
 	r.iTo = serv.InactiveTimeout
 	r.bgp = serv.Bgp
 	r.ci = cmn.CIDefault
+	r.privIP, _ = R.RuleVIP2PrivIP(sNetAddr.IP)
 
 	R.FoldRecursiveEPs(r)
 
@@ -2316,7 +2318,11 @@ func (r *ruleEnt) Nat2DP(work DpWorkT) int {
 	nWork.Work = work
 	nWork.Status = &r.sync
 	nWork.ZoneNum = r.zone.ZoneNum
-	nWork.ServiceIP = r.tuples.l3Dst.addr.IP.Mask(r.tuples.l3Dst.addr.Mask)
+	if r.privIP == nil || r.privIP.IsUnspecified() {
+		nWork.ServiceIP = r.tuples.l3Dst.addr.IP.Mask(r.tuples.l3Dst.addr.Mask)
+	} else {
+		nWork.ServiceIP = r.privIP
+	}
 	nWork.L4Port = r.tuples.l4Dst.val
 	nWork.Proto = r.tuples.l4Prot.val
 	nWork.Mark = int(r.ruleNum)
@@ -2700,3 +2706,10 @@ func (R *RuleH) RuleVIPSyncToClusterState() {
 		}
 	}
 }
+
+func (R *RuleH) RuleVIP2PrivIP(vip net.IP) (net.IP, error) {
+	if mh.cloudLabel == "aws" {
+		return AWSPrivateIpMapper(vip)
+	}
+	return nil, nil
+}
diff --git a/pkg/loxinet/utils_aws.go b/pkg/loxinet/utils_aws.go
index db830f9ee..d65fca9aa 100644
--- a/pkg/loxinet/utils_aws.go
+++ b/pkg/loxinet/utils_aws.go
@@ -167,3 +167,7 @@ func AWSApiInit() error {
 	tk.LogIt(tk.LogInfo, "AWS API init\n")
 	return nil
 }
+
+func AWSPrivateIpMapper(vip net.IP) (net.IP, error) {
+	return vip, nil
+}