Read on:

AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
Read More

AWS PrivateLink establishes a connection between your Virtual Private Cloud (VPC) and AWS services privately. Those AWS services can be hosted anywhere like in your own Account, or a different account or a different VPC. The connection doesn’t require an Internet gateway, NAT gateway or any other form of networking connections. The data is completely going to flow over a private link, which means communication will happen over internal IP address.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Use Cases:

  1. Let’s say you have 2 different Accounts. Account A has some critical or sensitive Data. Account B is your Development or staging environment. You want to have communication between Account A to Account B but nor vice-versa
  2. Some PCI workload Accounts or VPCs need Access to Non-PCI environment but not vice-versa
  3. If you want to deliver SAAS solutions to your customer by one way communication
  4. If you want to connect your AWS services Privately

How AWS PrivateLink Works?

It works as producer and consumer-based architecture. The Producer needs to advertise the service as VPC endpoint Service and consumer needs to access the service using VPC interface endpoint.

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.

Pre-requisites:

  1. AWS Account with required permissions.
  2. 2 VPC with multiple subnets (VPC A – 1 Private and 1 Public subnet. VPC B – 1 Private subnet)
  3. 3 EC2 Instances. (2 in each VPC A – 1 Bastion host, 1 private Service Consumer instance. 1 In VPC B – Service Producer Instance)

We will simulate this demo by creating 2 VPCs (1 service consumer VPC and 1 service Producer VPC). We will connect from service Consumer VPC EC2 Instance to service Producer VPC EC2 Instance over private link.

Download Banner

VPC A and Subnets

AWS PrivateLink

VPC B and subnets

AWS PrivateLink

EC2 Instance of VPC A and VPC B

AWS PrivateLink

Architecture to Follow

AWS PrivateLink

Service Provider: Owner of the service. It can be AWS, AWS partners, other AWS Accounts. They can host their service using EC2 Instances or On-prem servers. The services can be exposed as an endpoint service.

Service Consumer: who consumes the service by using VPC endpoint. The end users or Applications.

Endpoint Service: Service provider creates an endpoint service to make it available. A Network load balancer is required for endpoint service.

VPC Endpoint: Service consumer creates a VPC endpoint to connect their VPC to an endpoint service. While creating VPC endpoint you must specify the service name to connect.

Steps to Follow

  1. Create a Target Group for Network Load balancer
  2. Create a Network Load balancer required during Endpoint Service
  3. Create an Endpoint service to expose Producer’s Service
  4. Create a VPC interface endpoint to connect with Service Producer
  5. Testing

Step 1: Create a Target Group for Network Load balancer

Navigate to the target group section in EC2 console. Click on Create target group

AWS PrivateLink

There are multiple target type options available. Choose the target type as Instances

AWS PrivateLink

Provide a Target group name, Protocol and port. Choose the VPC in which your Producer Instance is present.

AWS PrivateLink

Click Next. Register the producer Instance with port.

AWS PrivateLink

Then Review the target and click on create target group.

AWS PrivateLink

AWS PrivateLink

Once the Target Group is configured with Load balancer, the health check will change.

AWS PrivateLink

Step 2: Create a Network Load balancer required during Endpoint Service

Navigate to the Load balancer section in EC2 console. Click on Create load balancer

AWS PrivateLink

Click on Create Network Load balancer, provide a Name and Choose scheme as Internal

AWS PrivateLink

Under network mapping section, choose the Producer VPC, subnets and CIDR

AWS PrivateLink

Under section Listeners and Routing, Choose the protocol, port and target group created earlier

AWS PrivateLink

Keep all remaining field as default and click on create load balancer

AWS PrivateLink

Step 3: Create an Endpoint service to expose Producer’s Service

Navigate to Endpoint services under VPC section. Click on Create endpoint service.

AWS PrivateLink

Provide a Name, choose the load balancer type as network, select the load balancer created earlier

AWS PrivateLink

Then Under additional settings, Checkbox for Acceptance required should be checked, choose IPv4 as supported IP addresses type. Click on Create.

AWS PrivateLink

AWS PrivateLink

Note: We have marked Acceptance required. After creating the endpoint request, you should accept the connection. Note down the Service Name.

Step 4: Create a VPC interface endpoint to connect with Service Producer

Navigate to Endpoint section under VPC console. Click on create endpoint

AWS PrivateLink

Provide a Name and choose other endpoint services Service Category.

AWS PrivateLink

Use the service name created in step 3. Click verify service
Select the VPC and subnet.

AWS PrivateLink

Select the security group. Click on Create endpoint

AWS PrivateLink

AWS PrivateLink

Now the Status is showing pending. Go to Endpoint service, Click on endpoint connections, Actions. Accept endpoint connection request.

AWS PrivateLink

Now the Endpoint Status is Available

AWS PrivateLink

Step 5: Testing

Let’s login to VPC A Application Instance – Service consumer Instance and try to curl the VPC endpoint DNS Names. See in the endpoint.

vpce-0fb3f5c28baea7444-wfytd6xf.vpce-svc-0fbf6a1f9744bad34.ap-south-1.vpce.amazonaws.com

vpce-0fb3f5c28baea7444-wfytd6xf-ap-south-1a.vpce-svc-0fbf6a1f9744bad34.ap-south-1.vpce.amazonaws.com

Now we would be able to access the http application

AWS PrivateLink

AWS PrivateLink

You can see this DNS resolves to a Private IP. That means all traffic is over PrivateLink connection not going over internet.

Conclusion

AWS PrivateLink is a valuable tool for establishing private connections between services hosted in AWS or on-premises. It facilitates communication exclusively over Private IP addresses, ensuring enhanced security and compliance with regulatory requirements. PrivateLink enables secure connectivity for AWS services, SaaS applications, and sensitive data access.

AWS for Beginners: How to Protect AWS Security Tools: Part 4
AWS for Beginners: What is IAM (Identity and Access Management) and Best Practices: Part 5
AWS for Beginners: Provisioning IAM Users and Programmatic Access in AWS: Part 6
AWS for Beginners: Securing Root account using MFA: Part 7
AWS for Beginners: Amazon S3 Overview, Security and Best Practices : Part 8
AWS for Beginners: Creating and managing IAM groups: Part 9
AWS for Beginners: AWS Managed Policies and In-line Policies: Part 10
AWS for Beginners: Create and Attach a policy to an IAM User: Part 11
AWS for Beginners: How to Create a Customer Managed Policy: Part 12
AWS for Beginners: What are EC2 Placement groups: Part 13
AWS for Beginners: ALB vs NLB vs GLB – Which AWS Load Balancer Should You Choose: Part 14
AWS for Beginners: What is AWS Elastic IP Address: Part 15
AWS for Beginners: How to add secondary IP to EC2 Instance using Elastic Network Interfaces (ENI): Part 16
AWS for Beginners: How to Enable Multi-Attach for Amazon EBS Volumes: Part 17
AWS for Beginners: How to encrypt an unencrypted AWS EBS root volume: Part 18
AWS for Beginners – What is Application Load Balancer and How it Works: Part 19
AWS for Beginners: What is AWS Client VPN: Part 20

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post