Jul 1, 2021
Using AWS Endpoint Services To Securely Expose Applications
In this post, we’ll see how we can utilize AWS Endpoint Services to securely expose our applications to other AWS accounts. Traditionally we used to so using VPC peering, but I find Endpoint Services as an elegant solution for this use case.
Note: We’ll need 2 AWS accounts for this setup. Account A will be used for creating our application and Endpoint Service while Account B will be used for creating Endpoint and accessing applications running in Account A.
Steps to be performed in Account A
1: Launch an instance using Amazon Linux 2 AMI in the private subnet, using the following user data to install and start apache.
#!/bin/bash
yum install -y httpd
service httpd startIn the security group of this instance, allow access on port 80 from our PVC CIDR.
2: Next create a target group that listens on Port 80 and registers our apache instance as a target.
3: Endpoint Services needs a Network Load Balancer. To create an internal NLB which listens on port 80 and forward traffic to the target group, we created earlier. Once our NLB is in an inactive state, click on Integrated services->VPC Endpoint Services (AWS PrivateLink)->Create Endpoint Service and create our Endpoint Service.
4: With our Endpoint Service selected, go to Allow-listed-principals->Add principals to allow list and specify arn:aws:iam::<aws-account-id>: root where aws-account-id is the id of Account B. This allows Account B to create an Endpoint to this service.
Note down the service name which we’ll need while creating Endpoint in Account B.
Steps to be performed in Account B
1: Go to VPC->Endpoints and create an endpoint in the same region where we created our Endpoint service in Account A. Please note down that Endpoint and Endpoint Service should be in the same region.
Select find service by name and provide service name which we copied earlier. Click Verify and then Create endpoint.
2: Right now our Endpoint will be Pending.
Go back to Account A and you’ll see our endpoint connection is waiting to be accepted. Proceed with accepting the endpoint connection.
Once you accept the connection, switch back to Account B and you’ll see that now our Endpoint is available.
3: Now launch an EC2 instance and SSH into it. Make sure our Endpoint security group allows access to port 80 from this instance’s security group.
4: Copy our Endpoint’s DNS name and try to curl it from our EC2 instance and you should be able to access our web page.
Reference: https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html
👋 Join us today !!
️Follow us on LinkedIn, Twitter, Facebook, and Instagram
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
