diff --git a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts
index 807fefc0e40ec..960b9b626f8c7 100644
--- a/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts
+++ b/packages/@aws-cdk/aws-opensearchservice/lib/domain.ts
@@ -1241,7 +1241,11 @@ export class Domain extends DomainBase implements IDomain, ec2.IConnectable {
         vpc: props.vpc,
         description: `Security group for domain ${this.node.id}`,
       })];
-      this._connections = new ec2.Connections({ securityGroups });
+      if (props.enforceHttps) {
+        this._connections = new ec2.Connections({ securityGroups, defaultPort: ec2.Port.tcp(443) });
+      } else {
+        this._connections = new ec2.Connections({ securityGroups });
+      }
     }
 
     // If VPC options are supplied ensure that the number of subnets matches the number AZ
diff --git a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts
index 0dc5f7a736c71..07094a348e52b 100644
--- a/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts
+++ b/packages/@aws-cdk/aws-opensearchservice/test/domain.test.ts
@@ -2,7 +2,7 @@
 import { Match, Template } from '@aws-cdk/assertions';
 import * as acm from '@aws-cdk/aws-certificatemanager';
 import { Metric, Statistic } from '@aws-cdk/aws-cloudwatch';
-import { Vpc, EbsDeviceVolumeType, SecurityGroup } from '@aws-cdk/aws-ec2';
+import { Vpc, EbsDeviceVolumeType, Port, SecurityGroup } from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as logs from '@aws-cdk/aws-logs';
@@ -31,7 +31,7 @@ const readWriteActions = [
 
 const defaultVersion = EngineVersion.OPENSEARCH_1_0;
 
-test('connections throws if domain is placed inside a vpc', () => {
+test('connections throws if domain is not placed inside a vpc', () => {
 
   expect(() => {
     new Domain(stack, 'Domain', {
@@ -109,6 +109,32 @@ test('default subnets and security group when vpc is used', () => {
 
 });
 
+test('connections has no default port if enforceHttps is false', () => {
+
+  const vpc = new Vpc(stack, 'Vpc');
+  const domain = new Domain(stack, 'Domain', {
+    version: defaultVersion,
+    vpc,
+    enforceHttps: false,
+  });
+
+  expect(domain.connections.defaultPort).toBeUndefined();
+
+});
+
+test('connections has default port 443 if enforceHttps is true', () => {
+
+  const vpc = new Vpc(stack, 'Vpc');
+  const domain = new Domain(stack, 'Domain', {
+    version: defaultVersion,
+    vpc,
+    enforceHttps: true,
+  });
+
+  expect(domain.connections.defaultPort).toEqual(Port.tcp(443));
+
+});
+
 test('default removalpolicy is retain', () => {
   new Domain(stack, 'Domain', {
     version: defaultVersion,