Skip to content

Latest commit

 

History

History
49 lines (41 loc) · 3.5 KB

privatelink.md

File metadata and controls

49 lines (41 loc) · 3.5 KB

AWS PrivateLink

  • Allows us to connect to services hosted by other AWS accounts
  • We can connect to them directly or we can utilize AWS Marketplace partner services
  • In both cases these services are presented in our VPC as private IP address ans ENIs
  • AWS PrivateLink is the technical basis for Interface Endpoints
  • For HA we should make sure we deploy multiple endpoint. Recommended one per AZ in each subnet we need to consume the service
  • PrivateLink supports IPv4 and TCP only (IPv6 is not supported!, see: https://aws.amazon.com/about-aws/whats-new/2022/05/aws-privatelink-ipv6/)
  • Private DNS is supported for overriding public DNS names (if there is a public DNS provided by the service we consume)
  • PrivateLink endpoints can be accessed through Direct Connect, S2S VPN and VPC Peering

VPC Endpoints

Gateway Endpoints

  • Gateway endpoints provide private access to supported services: S3 and DynamoDB
  • They allow any resource in a private only VPC to access S3/DynamoDB
  • We crate a gateway endpoint per service per region and associate it to one or more subnets in a VPC
  • We allocate a gateway endpoint to a subnet, a Prefix List is added to the route table for the subnet. This prefix lists targets the gateway endpoint
  • Any traffic targeted to S3/DynamoDB will go through the gateway endpoint and not through the internet gateway
  • Gateway endpoints are highly available across all AZs in a region, they are not directly inside a VPC/subnet
  • Endpoint policy: allows what things can be connected to the by the endpoint (example: a particular subset of S3 buckets)
  • Gateway endpoints can be used to access services in the same region only
  • Gateway endpoints allow private only S3 buckets: S3 buckets can be set to private allowing only access from the gateway endpoint. This will help prevent Leaky Buckets
  • Gateway endpoints are logical gateway objects, they can be only accessed from inside the assigned VPC

Interface Endpoints

  • Interface endpoints provide private access to AWS public services similar to Gateway Endpoints
  • Historically they have been used to provide access to services other than S3 and DynamoDB, recently AWS allowed interface endpoints to provide access to S3 as well
  • Difference between gateway endpoints and interface endpoints is that interface endpoints are not HA by default. Interface endpoints are added to subnets as an ENI
  • In order to have HA, we have to add an interface endpoint to every subnet per AZ inside of a VPC
  • Interface endpoints are able to have security groups assigned to them (gateway endpoints do not allow SGs)
  • We can also use endpoints policies, similar to gateway endpoints
  • Interface endpoints support TCP only over IPv4
  • Interface endpoints use PrivateLink behind the scene
  • Gateway endpoints use prefix lists, interface endpoints use DNS. Interface endpoints provide a new DNS name for every service they are meant communicate with
  • Interface endpoints are given a number of DNS names:
    • Endpoint Region DNS
    • Endpoint Zonal DNS
    • PrivateDNS: overrides the default service DNS with a new version pointing to interface endpoint

VPC Endpoints Policies

  • Endpoints policies don't grant access to any AWS services in isolation
  • Identities accessing resources still need they permissions to access resources
  • An endpoint policy only limits access if the service is accessed to the specific endpoint
  • The endpoint policy contains a policy and conditions (who has access to what)
  • Policies are commonly used to limit what private VPCs can access