WS PrivateLink is a valuable service that allows certain AWS services to be accessed privately. What makes this service particularly interesting is that it is an extensible service, which means AWS customers can use it to offer their own services privately to other AWS accounts.
AWS PrivateLink operates on the AWS private network. Without it, API or console service calls are made over the public network. This can be counter-intuitive, especially when your service is hosted in a private subnet of the VPC, and requires an open outbound internet connection to make API calls to AWS services like EC2:DescribeInstances. This outbound connection is usually facilitated by Public IPs, NATs, or NAT gateways, which can be costly. Furthermore, AWS services are published on public endpoints, making them accessible from anywhere, which poses potential security risks.
AWS has multiple data centers, with each Availability Zone having its own datacenter. Initially, AWS relied on the public network to connect these data centers, but this approach has many downsides, including security, latency, and performance issues. However, this is rapidly changing, as AWS continues to improve its network infrastructure.
While connections to AWS service endpoints are TLS protected, there is still a possibility of eavesdropping. This can be problematic for security-related AWS services such as Secrets Manager and STS, which store sensitive information like passwords and temporary session credentials.
Moreover, when traffic is on the public internet, it is subject to multiple hops, rerouting, and congestion, leading to network latency, unreliability, and inconsistent bandwidth, all of which can impact performance.
To address these issues, AWS PrivateLink offers a secure and cost-effective way to access services privately within the AWS network. By using AWS PrivateLink, you can keep communication between services within the AWS-owned internal network, providing a secure, reliable, and high-performance environment for your applications.
Amazon Web Services (AWS) provides a wide range of cloud computing services to help businesses and individuals run their applications and services on the cloud. These services are available on public service endpoints that cannot be changed, as customers are already using them. However, to ensure that these services are accessed only on the AWS-owned private network, AWS provides a dedicated private front to these public service endpoints through its Network Load Balancer (NLB).
When a client in a private subnet makes an API call, such as EC2:DescribeInstance, to an AWS service, the call first enters through a dedicated Elastic Network Interface (ENI) that is provided for each private subnet. The DNS entry for the AWS service endpoint is also overloaded to point to this dedicated ENI. The dedicated ENI then reroutes the network traffic for the API call over AWS's internal network, ensuring that it never leaves the private network.
This dedicated private network ultimately leads the traffic to the private fronted NLB, which then passes it to the AWS service it is fronting. It is important to note that this process occurs within a single AWS region. For cross-region communication, a user needs to use cross-region VPC peering.
The NLB provides several benefits, including improved scalability, high availability, and improved network performance. It can handle millions of requests per second while maintaining low latencies.
AWS PrivateLink Cost Factors
AWS PrivateLink is a useful feature that allows you to securely access services over a private connection, rather than through the public internet. However, there are a few cost factors to consider when using PrivateLink.
Firstly, PrivateLink requires a dedicated Elastic Network Interface (ENI) for each service you want to connect to. This means that if you need to connect to multiple services, you will need multiple ENIs, which can increase your costs.
Secondly, PrivateLink requires a dedicated AWS Private network over which traffic travels. This network is separate from your standard VPC network, which means there are additional costs associated with creating and maintaining this private network.
When using AWS PrivateLink, you will be charged for the time that the ENI is required. In addition to the ENI costs, you will also be charged for the data that is processed over the private network. This is charged on a per GB per Month basis, which means that the more data you process, the higher your costs will be.
Overall, while AWS PrivateLink is a powerful tool for secure and private access to services, it is important to consider the additional costs associated with it.
VPC Endpoint Services powered by AWS PrivateLink for customer services
To use PrivateLink, a Network Load Balancer (NLB) must be fronting the service that is being made available, and the DNS entry for that service must be made available to the Elastic Network Interface (ENI). Once the NLB is added as a VPC Endpoint service with a service name, clients can use the associated network information to subscribe to the service via dedicated ENIs in each private subnet.
For example, consider a financial company that tracks security trades and publishes this information for subscription. This financial data is sensitive and time-sensitive, and therefore requires a secure and reliable means of distribution. Such a service is an excellent candidate for a customer-published VPC Endpoint Service using PrivateLink.
By using PrivateLink to expose the financial data service, the financial company can ensure that only authorized clients within their VPC can access the data. Additionally, because PrivateLink uses dedicated ENIs, network traffic is isolated from other clients and services, providing an additional layer of security and privacy.
Overall, PrivateLink is an excellent option for securely and efficiently exposing services within a VPC to other AWS services and resources. By following best practices for setting up and configuring VPC Endpoint services using PrivateLink, AWS customers can ensure the security and reliability of their services and data.
Granular Security Control
The VPC endpoint service also helps to create data perimeters with the help of VPC endpoint policies. These policies can be used to restrict access to resources from specific IP addresses or VPCs. This allows customers to create a more granular security model that only permits access from trusted sources. For example, VPC endpoint policies can be used to restrict access to EC2 instance credentials, ensuring that they can only be used from specific IP addresses or VPCs.
One of the key benefits of VPC endpoint policies is that they can be easily configured and updated. This means that customers can quickly respond to changes in their security requirements, and make sure that their data remains secure at all times. With the VPC endpoint service, customers can be confident that their data is being transmitted and stored in a secure and private environment.
AWS re:Invent 2021 - Securing your data perimeter with VPC endpoints
How to use policies to restrict where EC2 instance credentials can be used from