Connecting with a VPN Connection – Configuring Infrastructure Security – SCS-C02 Study Guide

Note

You will see more details on the security and routing of AWS Direct Connect and VPN connections in Chapter 18, Securely Connecting to your AWS Environment.

Securing your connections is vital so those listening on the wire don’t eavesdrop and gather sensitive information. Some techniques can be used in AWS so that connecting to the services without using the public internet is possible. In the next section, you will examine such techniques.

Connecting to Your AWS Services without the Internet

In addition to using the internet to access the VPC via an IGW, you can also connect to a VPN from your data center. This enables you to create a link between your on-premises network and your VPC without using the public internet.

Although an IGW added to your VPC or even a NAT gateway can help you connect to both the internet and the public IP addresses of AWS services such as S3 buckets and EC3 instances, there are many times when connecting to the different services via an endpoint protects the security of the connection rather than going over the public internet.

A VPC endpoint in AWS is a virtual network interface that allows you to privately access AWS services without using a public IP address or going over the public internet.

Historically, when connections had to be made to services such as DynamoDB or S3 buckets, they would need to use a NAT gateway or public IP address. In this manner, the traffic would be routed over the public internet from the source until it reached its destination. This was even the case if the source was an EC2 instance inside the same VPC as the DynamoDB database.

The Different Types of Endpoints Available in VPCs

If you have an application running inside your VPC and that application needs to connect to AWS services that usually connect over the public internet, such as Amazon S3, Amazon SNS, Amazon SQS, and Amazon API Gateway, then you can use AWS endpoints as a more secure way of making connections inside of your VPC.

Traditionally, when you access AWS services such as S3 or DynamoDB from within a VPC, you would need to use a public IP address or a NAT gateway to route traffic through the internet. This can introduce security risks and increase latency.

With VPC endpoints, you can establish a private connection between your VPC and the AWS service without going over the internet. This allows you to access the service securely and with reduced latency.

The following two types of endpoints are available:

  • Interface endpoints: These are powered by ENIs and allow you to connect to AWS services over PrivateLink. PrivateLink is a highly available and scalable technology that provides secure and private communication between VPCs and AWS services.
  • Gateway endpoints: These are powered by Gateway Load Balancer (GWLB) and allow you to connect to S3 and DynamoDB over a VPC endpoint.

To reiterate, the only services supported by gateway endpoints are Amazon S3 and DynamoDB.

The following section will teach you the process of setting up an endpoint in your established VPC so that you have a better understanding of the concept of endpoints.