AWS PrivateLink and VPC Endpoints

Learn about the AWS PrivateLink and VPC endpoints and types of endpoints.

We'll cover the following

AWS PrivateLink
VPC endpoints
VPC peering vs. AWS PrivateLink
Example: Connecting private EC2 instance to SNS
Important points

Press + to interact

Here are some key terms you need to know about when referring to the AWS PrivateLink service:

Consumer VPC: A VPC in which we want to access a service/application.
Service provider VPC/ provider VPC/ VPC endpoint service: A VPC hosted in another AWS account that exposes a service/application to be used by the consumer VPC.

VPC endpoints

VPC endpoints are the resources providing the pathway to access the services. There are three types of VPC endpoints, two of which are powered by AWS PrivateLink. The table below shows their main points:

Interface Endpoint (PrivateLink)	Gateway Endpoint	Gateway Load Balancer Endpoint (PrivateLink)
Uses an elastic network interface with a private IP address.	An endpoint that is used as a target in the route table for the AWS service.	Used to connect and route traffic to the services configured using Gateway Load Balancer.
Works as an entry point to the AWS service, service hosted by another AWS account, or supported AWS partner service.	It doesn’t use IP addresses, PrivateLink, and security groups.	It uses internet gateway to allow the internet traffic to and from the consumer VPC.
It’s a regional resource that can be used only in the region it is created in.	It only supports AWS S3 and AWS DynamoDB and allows IPv4 TCP traffic.	GWLB endpoint is configured in a subnet other than the one where the service consumer application runs within the same VPC.
Allows us to choose a subnet per availability zone, attach a security group, and write an endpoint policy. Attaching a security group is a must; if we don’t specify any security group, then the default one is attached automatically.	Gateway endpoints can only connect VPC and resources in the same region.	All the incoming and outgoing traffic is routed through the GWLB endpoint according to the configurations defined in the route table.
It supports most of the AWS services and allows IPv4 TCP traffic only.	Allows to define endpoint policy.
The cost is attached to it for per hour + per GBs of data processed.	It's free of cost.

VPC peering vs. AWS PrivateLink

Although both of these services connect resources from different VPCs and allow them to communicate with each other, their use cases and purposes of use are quite different.

AWS PrivateLink creates a unidirectional connection between the resources of two VPCs. This means that the consumer VPC clients can only initiate the connection.
VPC peering creates a bidirectional connection between the VPCs. This means that the resources from both VPCs can initiate the communication.
We need to ensure that the CIDR blocks of IPv4 or IPv6 addresses are not overlapping in VPC peering, AWS PrivateLink uses ENIs, so there is no need to check overlapping.
VPC peering is cross-regional, but AWS PrivateLink connects resources within the same Region.

Example: Connecting private EC2 instance to SNS

Consider a scenario with an EC2 instance and Amazon SNS. The EC2 instance is provisioned in a private subnet, and we want to connect the EC2 instance with SNS. We have created a NAT gateway in a public subnet, and an internet gateway is attached to the VPC to access the internet. Let’s see different options to access the SNS using the VPC endpoints (Interface).

Option 1: We use NAT and IGW to access Amazon SNS publicly from the private subnet as shown in the gif below:

Press + to interact

In option 1, we have to use multiple services (NAT gateway and IGW) to access the Amazon SNS. We can achieve the same in the second option using the VPC endpoint (PrivateLink), and the connection will be private. Also, option 1 is expensive because of the NAT gateway. Therefore, the second option is more suitable and should be adopted.

Important points

Below are a few important points related to AWS PrivateLink and VPC endpoints and they should be kept in mind when working with PrivateLink and endpoints.

AWS PrivateLink uses private IP addresses to route traffic.
VPC endpoints allow IPv4 TCP traffic only.
Almost all AWS services are supported by Interface endpoint (PrivateLink).
Gateway endpoint currently supports only Amazon S3 and Amazon DynamoDB.
AWS PrivateLink is not cross-regional.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena