VPCs can be shared between accounts and organizations by sharing management with AWS organizations and the Resource Access Manager. In this section, you will learn about how to accomplish sharing services in a VPC between accounts using the AWS PrivateLink service.
In Chapter 7, “Connecting On-Premises Networks,” you learned that the AWS PrivateLink service creates an internal direct connection from your VPC to AWS services outside of your VPC. Traditionally, when communicating with external sites, the traffic may traverse the public Internet, which exposes your data to the world when in transit and can introduce suboptimal routing, added latency, and jitter. PrivateLink does not allow this traffic to exit the AWS network and into the Internet. Instead, PrivateLink connects your private VPC subnets directly inside of the AWS network to select AWS services and allows you to use AWS security tools to control access to services running in your VPCs. Monthly costs may be reduced since there may no longer be a need for NAT gateways, firewalls, and data transfer charges if the VPC no longer requires Internet connectivity.
Since PrivateLink enables you to keep sensitive data internal to AWS, privacy concerns and regulatory requirements such as HIPAA, EU-US Privacy Shield, PCI, and other regulations can ensure compliance.
PrivateLink uses interface VPC endpoints to connect to services external from your VPC that are offered by AWS partner solutions in the AWS Marketplace at https://aws.amazon.com/marketplace/privatelink. PrivateLink provides private connectivity from your VPCs, AWS-Supported services, and on-premises networks.
The service creates internal, private connections from VPCs to AWS services that can be hosted by other AWS accounts or AWS Marketplace services. Since all traffic will remain inside of the AWS network, you do not need to use an Internet gateway, NAT device, AWS Direct Connect, or AWS site-to-site VPN connection. PrivateLink creates a VPC endpoint inside of your VPC, with a name tag of the service and subnet. An elastic network interface in the subnet that serves as an entry point for traffic destined to the service is created in your VPC. When you create your own VPC endpoint service, you can enable other AWS customers to access your service. Since PrivateLink network traffic never exits AWS to the public Internet, your in-transit traffic security is greatly enhanced. When using private IP CIDR blocks, traffic is not routable across the Internet. Security groups can be defined and attached to an endpoint policy to interface endpoints to manage service access policies. Since the traffic never exits to the Internet, there is no need to manage firewall rules, manage routing configurations, or add an Internet gateway to the VPC. Also, VPC peering is not a requirement to use PrivateLink.
Direct Connect connects your external on-premises networks to AWS where PrivateLink is an AWS internal connection to connect services and applications in one VPC, for example, a service offering from a service provider to their consumers’ VPCs inside of an AWS region.
While this may sound like the same service as VPC peering, the difference is that VPC peering is used to securely interconnect VPCs. PrivateLink allows the capability to configure applications or services in VPCs as endpoints that your configured VPC peering connections can connect to.
PrivateLink is an AWS internal connection between VPCs to privately connect services and applications hosted in a VPC, usually by a service provider offering application services to customers, to other consumers’ VPCs within an AWS region.
PrivateLink is generally used in client-server cases when multiple customers need to access a specific service or instance in a separate VPC. This is useful for providers offering a service to multiple customers. Customers can only initiate the connection into the service provider’s VPC. Since PrivateLink uses Elastic Network Adapter interfaces in the customer’s VPC, there are no overlapping subnets that the service provider must address. Also, you can access AWS PrivateLink endpoints via VPC peering connections, VPNs, and AWS Direct Connect.
AWS has integrated a very large number of services with PrivateLink that are updated at https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html.
VPC peering and Transit Gateway can be used in place of PrivateLink if direct layer 3 IP connections are required between VPCs.
To create and access services outside of your VPC using PrivateLink, you would create an interface VPC endpoint for the external service. This creates an elastic network interface (ENI) in your subnet that is assigned a private IP address. This is the entry point for traffic destined to the service.
When you need to share services over PrivateLink, you will create your own PrivateLink endpoint service and then enable your customers to access your service.
The PrivateLink endpoint configuration is in the VPC service of the AWS web console. In the left service pane, select Endpoints and then Create Endpoint as shown in Figure 8.5 for partner services and as shown in Figure 8.6 for AWS provided services.