Read on:
AWS for Beginners: Understanding AWS Terminologies: Part 1
AWS for Beginners: What is AWS EC2: Part 2
AWS for Beginners: AWS Compute Services: Part 3
Read More
AWS PrivateLink establishes a connection between your Virtual Private Cloud (VPC) and AWS services privately. Those AWS services can be hosted anywhere like in your own Account, or a different account or a different VPC. The connection doesn’t require an Internet gateway, NAT gateway or any other form of networking connections. The data is completely going to flow over a private link, which means communication will happen over internal IP address.
Use Cases:
- Let’s say you have 2 different Accounts. Account A has some critical or sensitive Data. Account B is your Development or staging environment. You want to have communication between Account A to Account B but nor vice-versa
- Some PCI workload Accounts or VPCs need Access to Non-PCI environment but not vice-versa
- If you want to deliver SAAS solutions to your customer by one way communication
- If you want to connect your AWS services Privately
How AWS PrivateLink Works?
It works as producer and consumer-based architecture. The Producer needs to advertise the service as VPC endpoint Service and consumer needs to access the service using VPC interface endpoint.
AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.
Pre-requisites:
- AWS Account with required permissions.
- 2 VPC with multiple subnets (VPC A – 1 Private and 1 Public subnet. VPC B – 1 Private subnet)
- 3 EC2 Instances. (2 in each VPC A – 1 Bastion host, 1 private Service Consumer instance. 1 In VPC B – Service Producer Instance)
We will simulate this demo by creating 2 VPCs (1 service consumer VPC and 1 service Producer VPC). We will connect from service Consumer VPC EC2 Instance to service Producer VPC EC2 Instance over private link.
VPC A and Subnets
VPC B and subnets
EC2 Instance of VPC A and VPC B
Architecture to Follow
Service Provider: Owner of the service. It can be AWS, AWS partners, other AWS Accounts. They can host their service using EC2 Instances or On-prem servers. The services can be exposed as an endpoint service.
Service Consumer: who consumes the service by using VPC endpoint. The end users or Applications.
Endpoint Service: Service provider creates an endpoint service to make it available. A Network load balancer is required for endpoint service.
VPC Endpoint: Service consumer creates a VPC endpoint to connect their VPC to an endpoint service. While creating VPC endpoint you must specify the service name to connect.
Steps to Follow
- Create a Target Group for Network Load balancer
- Create a Network Load balancer required during Endpoint Service
- Create an Endpoint service to expose Producer’s Service
- Create a VPC interface endpoint to connect with Service Producer
- Testing
Step 1: Create a Target Group for Network Load balancer
Navigate to the target group section in EC2 console. Click on Create target group
There are multiple target type options available. Choose the target type as Instances
Provide a Target group name, Protocol and port. Choose the VPC in which your Producer Instance is present.
Click Next. Register the producer Instance with port.
Then Review the target and click on create target group.
Once the Target Group is configured with Load balancer, the health check will change.
Step 2: Create a Network Load balancer required during Endpoint Service
Navigate to the Load balancer section in EC2 console. Click on Create load balancer
Click on Create Network Load balancer, provide a Name and Choose scheme as Internal
Under network mapping section, choose the Producer VPC, subnets and CIDR
Under section Listeners and Routing, Choose the protocol, port and target group created earlier
Keep all remaining field as default and click on create load balancer
Step 3: Create an Endpoint service to expose Producer’s Service
Navigate to Endpoint services under VPC section. Click on Create endpoint service.
Provide a Name, choose the load balancer type as network, select the load balancer created earlier
Then Under additional settings, Checkbox for Acceptance required should be checked, choose IPv4 as supported IP addresses type. Click on Create.
Note: We have marked Acceptance required. After creating the endpoint request, you should accept the connection. Note down the Service Name.
Step 4: Create a VPC interface endpoint to connect with Service Producer
Navigate to Endpoint section under VPC console. Click on create endpoint
Provide a Name and choose other endpoint services Service Category.
Use the service name created in step 3. Click verify service
Select the VPC and subnet.
Select the security group. Click on Create endpoint
Now the Status is showing pending. Go to Endpoint service, Click on endpoint connections, Actions. Accept endpoint connection request.
Now the Endpoint Status is Available
Step 5: Testing
Let’s login to VPC A Application Instance – Service consumer Instance and try to curl the VPC endpoint DNS Names. See in the endpoint.
vpce-0fb3f5c28baea7444-wfytd6xf.vpce-svc-0fbf6a1f9744bad34.ap-south-1.vpce.amazonaws.com
vpce-0fb3f5c28baea7444-wfytd6xf-ap-south-1a.vpce-svc-0fbf6a1f9744bad34.ap-south-1.vpce.amazonaws.com
Now we would be able to access the http application
You can see this DNS resolves to a Private IP. That means all traffic is over PrivateLink connection not going over internet.
Conclusion
AWS PrivateLink is a valuable tool for establishing private connections between services hosted in AWS or on-premises. It facilitates communication exclusively over Private IP addresses, ensuring enhanced security and compliance with regulatory requirements. PrivateLink enables secure connectivity for AWS services, SaaS applications, and sensitive data access.
AWS for Beginners: How to Protect AWS Security Tools: Part 4
AWS for Beginners: What is IAM (Identity and Access Management) and Best Practices: Part 5
AWS for Beginners: Provisioning IAM Users and Programmatic Access in AWS: Part 6
AWS for Beginners: Securing Root account using MFA: Part 7
AWS for Beginners: Amazon S3 Overview, Security and Best Practices : Part 8
AWS for Beginners: Creating and managing IAM groups: Part 9
AWS for Beginners: AWS Managed Policies and In-line Policies: Part 10
AWS for Beginners: Create and Attach a policy to an IAM User: Part 11
AWS for Beginners: How to Create a Customer Managed Policy: Part 12
AWS for Beginners: What are EC2 Placement groups: Part 13
AWS for Beginners: ALB vs NLB vs GLB – Which AWS Load Balancer Should You Choose: Part 14
AWS for Beginners: What is AWS Elastic IP Address: Part 15
AWS for Beginners: How to add secondary IP to EC2 Instance using Elastic Network Interfaces (ENI): Part 16
AWS for Beginners: How to Enable Multi-Attach for Amazon EBS Volumes: Part 17
AWS for Beginners: How to encrypt an unencrypted AWS EBS root volume: Part 18
AWS for Beginners – What is Application Load Balancer and How it Works: Part 19
AWS for Beginners: What is AWS Client VPN: Part 20
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.