AWS Private Link — An Introduction
Consume a service from a private network without traversing internet.
This is what a private link is at it core. It allows application in a private subnet of VPC to connect to a service which is not in current VPC without leaving the AWS network. VPC peering allows us to do same but it establishes a connection with a scope which is too big. Also peering does have a restriction of non-overlapping CIDRs. Private Link allows us to only connect with the service we need. It gives control at both end i.e. service provider end as well as consumer end. Also Private link does not enforce non overlapping CIDRs.
Access my Service not my VPC
In the below image we see a connection between a resource in private subnet and SNS Service API. We are using SNS service endpoint which are internally powered by private link.
In the above diagram we have VPC Endpoint (Interface & Gateway), a logical networking component which is collection of ENI. Whenever we make a call to service, +2 DNS Resolver over-rides the service names and return the private ip of the ENI. As of my writing AWS supports 90+ services via interface endpoint.
In the below image we have a consumer VPC and a service provider VPC (lets assume a SaaS provider). Here the resources in service provider is exposing its resources to consumer using VPC Endpoint and Endpoint service. Also notice we are using NLB. We can only use NLB as private link is TCP based.
If you wish to have ALB based application exposed as Service for private link. You need to put an NLB in front of it. → NLB → ALB → Listeners
Private Link is a technology that enables consumer Initiated, TCP based, unidirectional, stateful flow
The technology that powers private link is Hyperplane ENI.
- Create your NLB
- Go to Endpoint Services, click Create Endpoint Service, select the NLB created in last step selects subnets and create.
- Go to Endpoints, click Create Endpoint, select Find service by name and enter the endpoint service name created in last step and click verify.
- Switch to Endpoint connections and accept the connection request.
Performance
Private link offers sustained throughput of 10 Gbps and burst capacity up to 40Gbps.
Note: While working with Endpoint service in Multi-AZ resources pay attention to cross-zone load balancing.
Benefits
Security. As the packets never traverses the internet, chances of Man In the Middle attacks are reduced.
It supports IAM like Endpoint policies. Using which you can control who can access what under what condition.
{
"Statement": [
{
"Action": ["sns:Publish"],
"Effect": "Allow",
"Resource": "arn:aws:sns:us-east-2:123456789012:YourTopic"
"Principal": {
"AWS": "arn:aws:iam:123456789012:user/AllowedUserName"
}
}
]
}It also supports Security Group. So as a provider you can control what what goes to the service.
VMWare Carbon Black performance test on PrivateLink highlighted a 70% reduction in latency.
Limitations:
Endpoints are regional. Both service and VPC should be in same region.
Use case
Shared services architecture. Create a separate account and hold all endpoints there. Manage it centrally. Allow other accounts to consume service via this accounts endpoints.
