In this blog, we will discuss how to connect to AWS services over a private, secure AWS network using AWS PrivateLink.
AWS services are accessed by their respective endpoints. By default, these are the public endpoints and to route traffic from VPC to AWS services, an internet gateway is used to access these AWS services.
However, when network security requirements do not allow access to the public internet, AWS PrivateLink can be used to connect VPC to AWS services without exposing traffic to the public Internet.
My previous blog discusses AWS PrivateLink’s use cases and its benefits. PrivateLink routes the call through the AWS Hyperplane service, eliminating the need for internet access. Resources in VPC can privately access the AWS services that are supported with AWS PrivateLink using VPC endpoints.
Control access to VPC endpoints
Security groups can be associated with the ENIs of the VPC interface endpoint to control network access from resources in the VPC.
Endpoint polices can be attached to the VPC interface endpoint to control access to AWS services through the interface endpoint. Default policy allows full access.
For example: A policy that restricts access to a specific AWS account.
How to set up PrivateLink with AWS services
- Host the application in the private subnets that require access to AWS services.
- Create an interface endpoint in the same VPC using the service name of the service that the application needs access to. AWS services will accept the connection requests automatically.
- The interface endpoint will create one or more Hyperplane-managed ENIs (depending on the subnets associated) in the VPC. This is the entry point that allows for connecting to AWS services powered by AWS PrivateLink.
- Create a security group and associate it with the network interfaces for the interface endpoint. The security group rules should allow permissions from the application resources in the private subnet to allow them to connect with AWS services over the VPC endpoint.
- Create an endpoint policy to allow AWS Principals to access AWS service through the VPC interface endpoint
- Traffic initiated by application hosts destined for the AWS service will use the DNS of the Interface endpoint and resolve into the private IPs associated with its ENIs.
- Enable private DNS to continue using the service domain name, this will create managed Private Hosted zones to ensure the traffic flow through the private VPC endpoint instead of the Internet.
Endpoints in Centralised Shared Services Architecture
For a centralised networking architecture, all required Interface endpoints to AWS services that are powered by AWS PrivateLink can be created in the shared services AWS account and shared with workloads.
The private DNS feature of the VPC endpoint does not work with this architecture. Custom Route 53 private Hosted zone with the AWS service endpoint domain can be configured to route traffic to the interface endpoint with A-alias records pointing to the Interface endpoint DNS.
The workload AWS accounts can only be used to deploy workloads in VPC private subnets. VPCs of these workload accounts can be then connected to a shared services VPC via AWS Transit Gateway as a hub and spoke. These VPCs must then be associated with the custom private hosted zone. Security group for the Interface endpoints in the Shared services account must allow hosts in workload VPCs to connect with AWS access via the VPC Interface endpoints.
Hosts in service consumers can then consume the hosted service using the name of the alias record for the respective AWS service.
Enabling AWS PrivateLink for AWS services using CDK
CDK is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation.
Create an interface endpoint with a security group. The security group will allow only the required port access from the host network CIDR. A custom R53 private hosted zone will route traffic to the Interface endpoint.
Make sure to add a VPC subnet for each Availability Zone in the region where resources must access the AWS service for the high availability. AWS service can then be accessed using the Regional DNS name of the VPC Interface endpoint. When the Regional DNS name is used, healthy endpoint network interface gets selected using the round robin algorithm, and its IP address is returned to the caller.
The AWS PrivateLink service makes it easy to connect to AWS services powered by PrivateLink over a private network. This allows to host multiple VPC interface endpoints for multiple AWS services in single shared services account to be consumed by multiple workload accounts.