AWS PrivateLink enables the access of services hosted on AWS easily and securely by keeping your network traffic within the AWS Network.
PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public internet. It provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. This makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.
Prior to the availability of AWS PrivateLink, services residing in a single Amazon VPC were connected to multiple Amazon VPCs either:
- Through public IP addresses using each VPC’s internet gateway.
- By private IP addresses using VPC peering.
Connectivity to providers in the AWS Marketplace and AWS resources such as S3 and Dynamo DB also required the use of an Internet Gateway and had to traverse the public internet.
With AWS PrivateLink, service connectivity over Transmission Control Protocol (TCP) can be established on the AWS private backbone in a secure and scalable manner.
Approximately four years ago, AWS introduced VPC endpoints which allowed private connectivity to S3 and DynamoDB. The endpoint sat outside of the VPC and acted as a gateway to the AWS resources. Requests for the endpoint were routed to the AWS resource using the Gateway. With this solution, the VPC had a secure private connection to that resource without traversing the internet, however Public IPs were still required for the AWS Resources.
Subsequent to this, AWS announced the launch of PrivateLink. The key difference between PrivateLink and the previous VPC endpoints is now the endpoints are created inside your VPC as detailed in the AWS announcement of November 2017.
“With traditional endpoints, it’s very much like connecting a virtual cable between your VPC and the AWS service. Connectivity to the AWS service does not require an Internet or NAT gateway, but the endpoint remains outside of your VPC. With PrivateLink, endpoints are instead created directly inside of your VPC, using Elastic Network Interfaces (ENIs) and IP addresses in your VPC’s subnets.
The service is now in your VPC, enabling connectivity to AWS services via private IP addresses. That means that VPC Security Groups can be used to manage access to the endpoints and that PrivateLink endpoints can also be accessed from your premises via AWS Direct Connect.
Using the services powered by PrivateLink, customers can now manage fleets of instances, create and manage catalogs of IT services as well as store and process data, all without using public IP addresses.”
Here’s an example whereby a customer has created PrivateLinks from their VPC to another of their own VPCs, as well as a PrivateLink to AWS public resources and a SaaS provider.
Additionally, they have a Direct Connect allowing them to access these resources using private IPs from their data centre.
To create your AWS Direct Connect – Private Virtual Interface reference our Knowledgebase infopaper at https://knowledgebase.megaport.com/cloud-connectivity/aws-direct-connect-private-virtual-interface/
Service Providers: Offer services securely and privately directly into customer VPCs and optionally integrate in to the AWS Marketplace. A great example of an AWS published use case is for Bloomberg B-Pipe.
Microservice Architectures: compartmentalise microservices into their own VPCs.
Simplify Network Management:
- Connect services across VPCs
- Share services between different accounts
- Connect to AWS resources
- No need for an internet gateway, Nat Device, Public IP address, VPC peering
- Works over Direct Connect
- Secure and scalable, traffic does not traverse the public internet