1. Introduction to AWS Private Link
AWS Private Link is a secure way to connect VPCs to other AWS services.
- This connection will not go over the Internet, it will always be in the AWS network
- Private Link helps to simplify your network structure because Private Link does not require config:
- Internet Gateway
- NAT Device
- Public IP address
- VPN connection
Services that Private Link supports include:
- Your services on AWS
- Services hosted in another AWS account
- Third-party services are available on AWS Marketplace
AWS Marketplace is a digital directory with thousands of software listings from independent software vendors that make it easy to find, test, purchase, and deploy software running on AWS.
2. Model using AWS Private Link
Source: https://app.pluralsight.com/library/courses/aws-network-design-getting-started
First of all, you have a VPC and a private subnet with an instance (EC2 for example) in it.
That EC2 wants to use a service in another Private Subnet, in another VPC.
By using Private Link, you can configure a VPC Endpoint interface in your VPC, accompanied by an Elastic Network Interface (ENI) that is granted a Private IP from your Private Subnet.
ENI’s function is to allow your EC2 to connect to other network resources, including other AWS, EC2 services, physical servers, and the Internet.
You can define a security group to control which Ec2s can access or in other words use the service you are connecting to.
Once you have a VPC Endpoint, you connect to the AWS Private Link, from here you can find the Service Endpoint (also using Private Link).
Once you have determined the Endpoint of that service, traffic will go to the Network Load Balancer at the VPC of that Service, and finally to the service provider’s service.
Benefits of using Private Link model:
- Reduce the number of parts that service providers or service users have to engage in in maintenance, monitoring, and configuring.
- Ensure all Traffic is in the AWS network
- Cannot be connected from the public Internet
- ENI only returns the response to outbound traffic, which makes it inaccessible from the VPC of the service provider.
3. The benefits of Private Link
3.1 Ensuring Traffic Safety
Connect your VPCs to services in AWS securely and extensible with AWS PrivateLink.
Traffic using AWS PrivateLink does not travel over the public internet, reducing the risk of exposure to threats such as brute force and distributed denial of service (DDOS) attacks.
You can use private IP and security groups to make your services behave as if they were hosted directly on your private network.
You can also attach an endpoint policy, which allows you to control exactly who has access to a particular service.
3.2 Simplify network architecture management
You can connect services across different Amazon accounts and VPCs without the need for firewall rules, path definitions, or route tables.
No need to configure Internet Gateway, VPC Peer Connection, or VPC Layerless Inter-Domain Routing (CIDR) management.
Because AWS PrivateLink simplifies your network architecture, it will be easier for you to manage your global network.
3.3 Promote cloud usage
Easily migrate traditional physical applications to Software as a service (Saas) hosted in the cloud with AWS PrivateLink easier.
Since your data isn’t exposed to the Internet where it could be compromised, you can migrate and use more cloud services with confidence that your traffic is still safe.
You no longer have to choose between using a service and displaying your important data on the Internet.
Reference source:
https://app.pluralsight.com/library/courses/aws-network-design-getting-started