Maintaining Private Access to Custom Services: PrivateLink & VPC Peering

This guide explores the mechanisms provided by AWS to interconnect VPCs and services privately, focusing on AWS PrivateLink and VPC Peering. These tools are essential for maintaining security, regulatory compliance, and high performance by keeping traffic within the AWS global network.

Learning Objectives

After studying this guide, you should be able to:

• Distinguish between the use cases for VPC Peering and AWS PrivateLink.
• Describe the architecture of Interface VPC Endpoints.
• Explain how PrivateLink handles overlapping CIDR blocks between provider and consumer VPCs.
• Identify the roles of Service Providers and Service Consumers in a PrivateLink configuration.
• Evaluate when to use Transit Gateway versus PrivateLink for multi-VPC connectivity.

Key Terms & Glossary

• VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.
• AWS PrivateLink: A technology that provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.
• Interface VPC Endpoint: An Elastic Network Interface (ENI) with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
• Service Provider: The owner of the service (e.g., an application behind a Network Load Balancer) being shared via PrivateLink.
• Service Consumer: The entity (user or account) that creates an interface endpoint to access the provider's service.

The "Big Idea"

In modern cloud architectures, the "Big Idea" is perimeter-less security. Instead of bridging entire networks (which exposes all resources in both networks to one another), we expose only specific services. PrivateLink represents a shift from Layer 3 Interconnectivity (routing between networks) to Service-Oriented Access (connecting a client directly to an endpoint), eliminating the need for complex routing tables and the risks of the public internet.

Formula / Concept Box

Hierarchical Outline

1. VPC Peering Architectures
   • Direct Interconnect: Low latency, high bandwidth.
   • Scope: Same-region or Inter-region.
   • Constraint: Overlapping CIDRs prevent peering.
2. AWS PrivateLink (Endpoint Services)
   • Consumer Side: Uses Interface VPC Endpoints (ENIs).
   • Provider Side: Uses a Network Load Balancer (NLB).
   • Connectivity: Accessible via Direct Connect (DX), VPN, and Peering.
3. Security and Compliance
   • Data Privacy: Traffic never leaves the AWS backbone.
   • Access Control: Managed via Endpoint Policies and Security Groups.
   • Regulatory Support: Simplifies HIPAA, PCI, and GDPR compliance by avoiding the internet.

Visual Anchors

PrivateLink Traffic Flow

VPC Peering Topology

Definition-Example Pairs

• Interface VPC Endpoint: The "plug" in your VPC that connects to an external service.
  • Example: Creating an interface endpoint for Amazon S3 so your instances can upload files without an Internet Gateway.
• Service Provider: The entity hosting the application logic.
  • Example: A SaaS company like Snowflake or Datadog offering their platform to customers via PrivateLink to ensure secure data transfer.
• Overlapping CIDR Resolution: The ability to connect VPCs even if they use the same IP ranges.
  • Example: A Managed Service Provider (MSP) has a VPC with 10.0.0.0/16 and needs to connect to 100 customers who also use 10.0.0.0/16. PrivateLink allows this because the connection is made to a specific ENI IP, not a network route.

Worked Examples

Setting up a Custom PrivateLink Service

1. Provider Setup:
   • Create a service behind a Network Load Balancer (NLB) in the Provider VPC.
   • In the VPC Console, select VPC Endpoint Services and click "Create Endpoint Service."
   • Associate it with the NLB and set acceptance requirements (e.g., manual approval).
2. Consumer Setup:
   • In the Consumer VPC, go to Endpoints and click "Create Endpoint."
   • Select "Other endpoint services" and enter the Service Name provided by the provider.
   • Choose the specific subnet/AZ where the ENI should be placed.
3. Verification:
   • Once the provider accepts the connection, the consumer instance can use the private DNS name of the endpoint to reach the provider's service.

Checkpoint Questions

1. Why is PrivateLink preferred over VPC Peering when a Service Provider has hundreds of customers with unknown IP ranges?
2. What load balancer type is required on the Provider side for a PrivateLink Endpoint Service?
3. Can an on-premises server access an AWS PrivateLink endpoint? If so, how?
4. Does PrivateLink support transitive routing (e.g., can VPC A use VPC B's endpoint to reach a service)?

[!TIP] Answer to Q3: Yes. On-premises resources can access PrivateLink endpoints over AWS Direct Connect or Site-to-Site VPN by using the private IP of the Interface Endpoint.

Muddy Points & Cross-Refs

• PrivateLink vs. Gateway Endpoints: Use Gateway Endpoints only for S3 and DynamoDB (no cost, uses route table entries). Use Interface Endpoints (PrivateLink) for almost everything else (ENI-based, cost per hour/GB).
• Transitivity: Neither Peering nor PrivateLink are transitive. If you need a "mesh" where everything talks to everything at Layer 3, look at AWS Transit Gateway (Unit 2.2).
• DNS Resolution: Private DNS names for endpoints can be tricky; ensure "Enable DNS hostnames" and "Enable DNS support" are on in the VPC attributes.

Comparison Tables

Comparison: Connectivity Patterns

[!IMPORTANT] Always remember: PrivateLink is for services; VPC Peering and Transit Gateway are for networks.