Using AWS Endpoint Services To Securely Expose Applications

In this post, we’ll see how we can utilize AWS Endpoint Services to securely expose our applications to other AWS accounts. Traditionally we used to so using VPC peering, but I find Endpoint Services as an elegant solution for this use case.

Note: We’ll need 2 AWS accounts for this setup. Account A will be used for creating our application and Endpoint Service while Account B will be used for creating Endpoint and accessing applications running in Account A.

Steps to be performed in Account A

1: Launch an instance using Amazon Linux 2 AMI in the private subnet, using the following user data to install and start apache.

#!/bin/bash
yum install -y httpd
service httpd start

In the security group of this instance, allow access on port 80 from our PVC CIDR.

2: Next create a target group that listens on Port 80 and registers our apache instance as a target.

3: Endpoint Services needs a Network Load Balancer. To create an internal NLB which listens on port 80 and forward traffic to the target group, we created earlier. Once our NLB is in an inactive state, click on Integrated services->VPC Endpoint Services (AWS PrivateLink)->Create Endpoint Service and create our Endpoint Service.

4: With our Endpoint Service selected, go to Allow-listed-principals->Add principals to allow list and specify arn:aws:iam::<aws-account-id>: root where aws-account-id is the id of Account B. This allows Account B to create an Endpoint to this service.

Note down the service name which we’ll need while creating Endpoint in Account B.

Steps to be performed in Account B

1: Go to VPC->Endpoints and create an endpoint in the same region where we created our Endpoint service in Account A. Please note down that Endpoint and Endpoint Service should be in the same region.

Select find service by name and provide service name which we copied earlier. Click Verify and then Create endpoint.

2: Right now our Endpoint will be Pending.

Go back to Account A and you’ll see our endpoint connection is waiting to be accepted. Proceed with accepting the endpoint connection.

Once you accept the connection, switch back to Account B and you’ll see that now our Endpoint is available.

3: Now launch an EC2 instance and SSH into it. Make sure our Endpoint security group allows access to port 80 from this instance’s security group.

4: Copy our Endpoint’s DNS name and try to curl it from our EC2 instance and you should be able to access our web page.

Reference: https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html

👋 Join us today !!

️Follow us on LinkedIn, Twitter, Facebook, and Instagram

https://avmconsulting.net/

If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇

--

--

--

AVM Consulting — Clear strategy for your cloud

Recommended from Medium

AWS EC2 — Modifying the size and type of the EBS disk volume

Mule 4 Continuous Integration using Azure DevOps

Transposer Virtual Camera Explained in Unity’s Cinemachine

What is the use of constructor in java

Progressive Web Apps- Everything you want to know about them

What is version control?

A step toward a more secure web collab tool for VTubers

Using Color in SwiftUI — Swift Tutorial

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vinayak Pandey

Vinayak Pandey

Experienced Cloud Consultant with a knack of automation. Linkedin profile: https://www.linkedin.com/in/vinayakpandeyit/

More from Medium

Basic Configuration How to Provision Amazon Web Services (AWS) Resources via Terraform Cl

How to setup static web hosting using S3 and Cloudfront through Terraform

Terraform with AWS : Create AWS VPC with Private & Public Subnet with NAT Gateway & Security Group

AWS S3 and AWS CloudFront configuration with Terraform.