AWS Cloud

Demystifying AWS PrivateLink and VPC Endpoint Services: Everything You Need to Know

Nishant Thorat
February 11, 2024
5 min read

WS PrivateLink is a valuable service that allows certain AWS services to be accessed privately. What makes this service particularly interesting is that it is an extensible service, which means AWS customers can use it to offer their own services privately to other AWS accounts.

AWS PrivateLink operates on the AWS private network. Without it, API or console service calls are made over the public network. This can be counter-intuitive, especially when your service is hosted in a private subnet of the VPC, and requires an open outbound internet connection to make API calls to AWS services like EC2:DescribeInstances. This outbound connection is usually facilitated by Public IPs, NATs, or NAT gateways, which can be costly. Furthermore, AWS services are published on public endpoints, making them accessible from anywhere, which poses potential security risks.

AWS has multiple data centers, with each Availability Zone having its own datacenter. Initially, AWS relied on the public network to connect these data centers, but this approach has many downsides, including security, latency, and performance issues. However, this is rapidly changing, as AWS continues to improve its network infrastructure.


While connections to AWS service endpoints are TLS protected, there is still a possibility of eavesdropping. This can be problematic for security-related AWS services such as Secrets Manager and STS, which store sensitive information like passwords and temporary session credentials.


Moreover, when traffic is on the public internet, it is subject to multiple hops, rerouting, and congestion, leading to network latency, unreliability, and inconsistent bandwidth, all of which can impact performance.

AWS PrivateLink

To address these issues, AWS PrivateLink offers a secure and cost-effective way to access services privately within the AWS network. By using AWS PrivateLink, you can keep communication between services within the AWS-owned internal network, providing a secure, reliable, and high-performance environment for your applications.

The Backend

Amazon Web Services (AWS) provides a wide range of cloud computing services to help businesses and individuals run their applications and services on the cloud. These services are available on public service endpoints that cannot be changed, as customers are already using them. However, to ensure that these services are accessed only on the AWS-owned private network, AWS provides a dedicated private front to these public service endpoints through its Network Load Balancer (NLB).

When a client in a private subnet makes an API call, such as EC2:DescribeInstance, to an AWS service, the call first enters through a dedicated Elastic Network Interface (ENI) that is provided for each private subnet. The DNS entry for the AWS service endpoint is also overloaded to point to this dedicated ENI. The dedicated ENI then reroutes the network traffic for the API call over AWS's internal network, ensuring that it never leaves the private network.

This dedicated private network ultimately leads the traffic to the private fronted NLB, which then passes it to the AWS service it is fronting. It is important to note that this process occurs within a single AWS region. For cross-region communication, a user needs to use cross-region VPC peering.

The NLB provides several benefits, including improved scalability, high availability, and improved network performance. It can handle millions of requests per second while maintaining low latencies.

AWS PrivateLink Backend

AWS PrivateLink Cost Factors

AWS PrivateLink is a useful feature that allows you to securely access services over a private connection, rather than through the public internet. However, there are a few cost factors to consider when using PrivateLink.

Firstly, PrivateLink requires a dedicated Elastic Network Interface (ENI) for each service you want to connect to. This means that if you need to connect to multiple services, you will need multiple ENIs, which can increase your costs.

Secondly, PrivateLink requires a dedicated AWS Private network over which traffic travels. This network is separate from your standard VPC network, which means there are additional costs associated with creating and maintaining this private network.

When using AWS PrivateLink, you will be charged for the time that the ENI is required. In addition to the ENI costs, you will also be charged for the data that is processed over the private network. This is charged on a per GB per Month basis, which means that the more data you process, the higher your costs will be.

Overall, while AWS PrivateLink is a powerful tool for secure and private access to services, it is important to consider the additional costs associated with it.

VPC Endpoint Services powered by AWS PrivateLink for customer services

To use PrivateLink, a Network Load Balancer (NLB) must be fronting the service that is being made available, and the DNS entry for that service must be made available to the Elastic Network Interface (ENI). Once the NLB is added as a VPC Endpoint service with a service name, clients can use the associated network information to subscribe to the service via dedicated ENIs in each private subnet.

For example, consider a financial company that tracks security trades and publishes this information for subscription. This financial data is sensitive and time-sensitive, and therefore requires a secure and reliable means of distribution. Such a service is an excellent candidate for a customer-published VPC Endpoint Service using PrivateLink.

By using PrivateLink to expose the financial data service, the financial company can ensure that only authorized clients within their VPC can access the data. Additionally, because PrivateLink uses dedicated ENIs, network traffic is isolated from other clients and services, providing an additional layer of security and privacy.

Overall, PrivateLink is an excellent option for securely and efficiently exposing services within a VPC to other AWS services and resources. By following best practices for setting up and configuring VPC Endpoint services using PrivateLink, AWS customers can ensure the security and reliability of their services and data.

Granular Security Control

The VPC endpoint service also helps to create data perimeters with the help of VPC endpoint policies. These policies can be used to restrict access to resources from specific IP addresses or VPCs. This allows customers to create a more granular security model that only permits access from trusted sources. For example, VPC endpoint policies can be used to restrict access to EC2 instance credentials, ensuring that they can only be used from specific IP addresses or VPCs.

One of the key benefits of VPC endpoint policies is that they can be easily configured and updated. This means that customers can quickly respond to changes in their security requirements, and make sure that their data remains secure at all times. With the VPC endpoint service, customers can be confident that their data is being transmitted and stored in a secure and private environment.


AWS re:Invent 2021 - Securing your data perimeter with VPC endpoints

How to use policies to restrict where EC2 instance credentials can be used from

Nishant Thorat

Stay Informed

Get the latest updates, news, and exclusive offers delivered to your inbox.

By clicking Sign Up, you agree to our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong. Please try again.

Discover Our Featured Blogs

Stay up to date with our informative blog posts.

User Access Management

Streamlining AWS Access for Growing Startups

As your startup scales on AWS, managing access control becomes crucial. This blog post provides a roadmap for securing your cloud environment. You'll learn about the limitations of basic IAM users, the benefits of centralized identity management, and the capabilities of AWS IAM Identity Center with Just-In-Time access. By the end, you'll have a clear strategy to secure your AWS environment while maintaining agility.
Nishant Thorat
March 27, 2024
5 min read
AWS Cloud

Understanding Instance MetaData Service (IMDS)

Instance metadata service (IMDS) provides sensitive information. Understand IMDSv1 weakness and how IMDSv2 improves security. Identify IMDSv1 enabled instances across your cloud.
Nishant Thorat
February 11, 2024
5 min read

10 Steps to Improve Your AWS IAM Hygiene and Keep Your Cloud Secure

Improving your AWS IAM hygiene is critical in protecting your cloud resources and data. By following these 10 steps, you can establish a robust security framework that protects your business from cyber threats. From reviewing your IAM policies to enabling MFA and monitoring your IAM activity, each step is designed to help you maintain the security and integrity of your AWS account.
Nishant Thorat
February 11, 2024
5 min read