AWS VPC Endpoints (AWS PrivateLink) - Overview.
Scope:
- The concept of AWS PrivateLink,
- How PrivateLink Works At its core,
- Traffic Flow,
- Key Components & Roles,
- Architecture Overview,
- Sample Internal API over PrivateLink,
- DNS Behavior,
- Security & Access Control,
- Sample Endpoint Policy,
- Supported Use Cases of AWS PrivateLink,
- Benefits of
- Pricing Components & Costs,
- Best Practices for
- PrivateLink vs. VPC Peering,
- Sample Consumer created Interface Endpoint (CLI),
- Sample Provider created Endpoint Service (CLI),
- Architecture Deep Dive.
The concept of AWS
PrivateLink
- AWS PrivateLink provides private connectivity between:
- VPCs,
- AWS services,
- on-premises networks, using the private IP addresses inside the VPC (twtechvpc).
- AWS PrivateLink eliminates the need for:
- Internet Gateway (IGW)
- NAT Gateway
- VPN
- Public IPs
- PrivateLink uses the AWS backbone for all traffic.
- — ensuring:
- Low latency,
- High security,
- Compliance isolation.
How PrivateLink Works At its core:
- A Service Provider VPC exposes an endpoint service.
- A Service Consumer VPC connects via an Interface Endpoint.
- The connection happens privately via ENIs (Elastic Network Interfaces).
Traffic Flow
NB:
- All packets stay within AWS’s private network
- — not the public internet.
Key Components & Roles
|
Component |
Role |
|
Interface Endpoint |
ENI in twtech subnet that connects
to a PrivateLink service |
|
Endpoint Service |
A service hosted behind an NLB and
exposed over PrivateLink |
|
NLB (Network Load
Balancer) |
Required for providers to
distribute incoming connections |
|
Private DNS |
Enables consumers to access
services via standard AWS DNS names |
Architecture Overview
Provider (Service Owner):
- Deploys an NLB in front of their application.
- Creates an Endpoint Service.
- Grants permissions to specific AWS accounts (or makes it public).
Consumer (Service User):
- Creates an Interface Endpoint to the provider’s service.
- Gets an ENI in each subnet for high availability.
- Accesses the service via Private DNS name.
Sample Internal API over PrivateLink
DNS Behavior
- When
Private DNS is enabled:
- The AWS-managed service domain (e.g., com.amazonaws.us-east-2.secretsmanager) resolves to the private IP of the Interface
Endpoint.
- Traffic automatically routes internally, not via the internet.
- twtech can also use custom DNS zones (Route 53 Private Hosted Zones) for private service domains.
Security & Access
Control
|
Layer |
Purpose |
|
Endpoint Policy |
IAM-like JSON policy defining what
actions/resources are allowed through the endpoint |
|
Security Groups |
Attached to Interface Endpoints (control inbound/outbound traffic) |
|
Service Acceptance |
Provider must accept endpoint
connection requests (optional
automatic acceptance) |
|
NACLs |
Optional subnet-level filtering |
Sample Endpoint Policy:
# json
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "ssm:DescribeInstanceInformation",
"Resource": "*"
}
]
}
Supported Use Cases of
✅ Private Access to AWS Services
- Secrets Manager, Systems Manager (SSM), CloudWatch, ECR API, etc.
✅ Private Access to Partner / SaaS Services
- Snowflake, Datadog, MongoDB Atlas, etc.
✅ Private Inter-VPC Application Connectivity
- Internal microservices between accounts or organizations.
✅ Service Provider Models
- Build twtech own SaaS over PrivateLink (secure, no public endpoints).
Benefits of
|
Benefit |
Description |
|
🔒 Security |
Traffic stays within AWS network (no internet exposure) |
|
🧩 Simplicity |
No NAT, No VPN, & No complex routing required |
|
🚀 Performance |
Lower latency and reduced jitter
over AWS backbone |
|
💰 Cost Optimization |
Avoids NAT Gateway data processing
fees |
|
🧱 Scalability |
Works across accounts, VPCs, and
Regions |
Pricing Components & Costs
|
Component |
Cost |
|
Interface Endpoint |
Per-hour charge + per-GB data
processed |
|
Provider Endpoint
Service |
No hourly cost, but normal NLB charges
apply |
|
Cross-Region Data
Transfer |
Charged at inter-region transfer
rates |
Best Practices for
✅ Use Interface Endpoints for private access to AWS-managed or third-party services.
✅ Use custom PrivateLink endpoints to publish internal APIs securely.
✅ Always apply least-privilege policies on endpoints.
✅ Enable Private DNS to avoid hardcoding endpoint URLs.
✅ Monitor with VPC Flow Logs and CloudWatch Metrics.
✅ Automate endpoint deployment with Infrastructure as Code (IaC) e.g., Terraform or CloudFormation.
PrivateLink vs. VPC
Peering
|
Feature |
AWS PrivateLink |
VPC Peering |
|
Type |
Service-based |
Network-based |
|
Traffic Direction |
Unidirectional (consumer →
provider) |
Bidirectional |
|
CIDR Overlap |
Allowed |
Not allowed |
|
Transitive Routing |
No |
No |
|
Setup Complexity |
Moderate |
Simple |
|
Common Use |
SaaS / private services |
Inter-VPC communication |
# bash
aws ec2 create-vpc-endpoint \
--vpc-id vpc-0abc12345 \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-2.secretsmanager \
--subnet-ids subnet-01234 subnet-05678 \
--security-group-ids sg-0123456789abcdef
# Sample Provider created Endpoint Service (CLI)
# bash
aws ec2 create-vpc-endpoint-service-configuration \
--network-load-balancer-arns arn:aws:elasticloadbalancing:...:nlb/... \
--acceptance-required
Architecture Deep Dive
No comments:
Post a Comment