In this blog, I will take you through how to overcome the challenge of connecting VPC networks with overlapping private IP address ranges using the solution provided by AWS PrivateLink service.
Traditional inter-VPC connectivity patterns such as VPC peering or transit gateway have limitations as they cannot establish a connection between VPCs that have overlapping IPv4 CIDR blocks, and require bidirectional trust.
AWS PrivateLink enables the sharing of service APIs within and across VPCs in the same AWS account or even between different AWS accounts, irrespective of overlapping IP address ranges. PrivateLink is suitable for service providers who must provide connectivity to multiple service consumers, and have no control over the remote IP address range.
How AWS PrivateLink Works
PrivateLink leverages the AWS Hyperplane service, so it is scalable and highly available. Traffic between the consumer’s network and the provider’s network remains within the AWS managed network, rather than through the internet. This technology supports the publisher / subscriber model where services are hosted and published as endpoint services that can be subscribed and consumed by only allowlisted consumers via private connection through interface endpoints.
The service provider’s AWS account hosts the services behind the network load balancer in “Provider” VPC as a VPC endpoint service, and the service consumer’s AWS account consumes/accesses the services via an interface VPC endpoint powered by AWS PrivateLink from their “Consumer” VPCs. Here, the consumer VPCs IP ranges overlap with each other and with the provider VPC.
AWS PrivateLink uses an elastic network interface (ENI) with a private IP address called the “Interface VPC endpoint” in the consumer account. These ENIs act as an entry point for traffic targeting services that are hosted by the Service provider. The interface VPC endpoints are managed by AWS and provide private access to the services hosted by Provider. Connections are always initiated from the consumer VPC and they appear to come from a local IP address within the provider VPC.
Access controls in AWS PrivateLink
When creating a VPC endpoint service in the provider’s account, use a combination of permissions and acceptance settings controls to determine which service consumers can access the endpoint service.
On the other hand, in a consumer’s account, identity-based IAM policies can be defined to control access to work with AWS PrivateLink resources. They can be used to grant IAM users or roles permission to execute PrivateLink APIs [ ec2:*VpcEndpoint*] that can create, modify or delete endpoints.
AWS PrivateLink also supports a resource-based policy known as endpoint policy, that can be attached to VPC Interface endpoint to control access to the VPC endpoint service from the VPC through the interface endpoint.
VPC Interface endpoints uses ENI and IP addresses in consumer VPC’s subnets. That means VPC security groups can also be used to manage access to the Interface endpoints. Security groups control the traffic that is allowed to the endpoint ENI from the resources in consumer VPC.
DNS hostnames for the AWS PrivateLink
AWS generates an endpoint’s specific DNS hostname for the service endpoint in the provider’s account, and interface endpoint in the consumer’s account.
DNS hostnames for VPC endpoint service are generated in the following format:
- [Regional] endpoint_service_id.region.vpce.amazonaws.com
- [Zonal] endpoint_service_id-zone.region.vpce.amazonaws.com
DNS hostnames for interface VPC endpoint are generated in the following format:
- [Regional] endpoint_id.endpoint_service_id.region.vpce.amazonaws.com
- [Zonal] endpoint_id-zone.endpoint_service_id.region.vpce.amazonaws.com
AWS PrivateLink in Multi-AZ environment
Services are hosted in each availability zone (AZs) registered with a load balancer target group and exposed as a VPC endpoint service. Consumer hosts are configured in each of those AZs to connect to VPC interface endpoints. If the instances are not hosted in all enabled AZs, cross-zone load balancing should be enabled to support service consumers that use zonal DNS hostnames to access the service.
Use cases of AWS PrivateLink
- Host and share a service with other AWS customers by creating a VPC endpoint service.
- Create VPC interface endpoints to connect to supported AWS services that integrate with AWS PrivateLink.
- Connect with AWS PrivateLink-enabled SaaS offerings from AWS Partners over a secure, private connection.
Benefits of AWS PrivateLink
- A private connection that eliminates the exposure of private data to the public internet
- Access is unidirectional, in a way that only consumer VPCs initiate connections to the service provider VPC. There is no way for the application in the provider VPC to establish a connection to the consumer VPC.
- PrivateLink allows for VPC CIDR ranges to overlap, and it can relatively scale better because thousands of Amazon VPCs can consume each service.
- The service endpoint can be configured to accept connection requests before establishing the PrivateLink connection with the service consumer. This will avoid creating a consumer-facing PrivateLink without approval.
- Only configured TCP ports are allowed between the consumer and provider. This makes sure that the consumer only has access to specific resources in the provider VPC.
- Redundancy comes built into PrivateLink in the form of the NLB.
- PrivateLink provides fine-grained network access control to specific resources in a VPC instead of all resources by default.
High-Level set-up of AWS PrivateLink
In the provider’s account,
- Create an NLB and a target group with protocol TCP and required ports in the provider’s VPC. Select one subnet per Availability Zone in which the service should be available to service consumers.
- Register the servers as a target to the NLB target group.
- Create an endpoint service configuration for NLB that requires manual connection acceptance and grant permissions to the client account so it can create a connection to this endpoint service
- Provide the service consumer with the name of the service and the supported Availability Zones and the domain name and port to connect to hosted service via the endpoint.
- Accept the endpoint connection request once it is received from the service consumer.
In the consumer’s account,
- Create an interface endpoint in the consumer VPC using the service name provided by the service provider.
- This will send a connection request to the Service Provider’s account.
- Associate a security group with the network interfaces for interface endpoint created in the consumer’s VPC. The security group rules control the traffic that is allowed to the endpoint network interface from the resources in VPC.
- A custom Route 53 private Hosted zone with the service domain provided by the Provider account can be created and configured to route traffic to the interface endpoint with A-alias records pointing to the Interface endpoint DNS. Hosts in Service consumers can consume the hosted service using the name of the alias record and port number provided by the Service provider.
Enabling AWS PrivateLink using CDK
CDK is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation
1. In the provider’s account
Create an endpoint service configuration for NLB. The combination of permissions and acceptance settings helps control which service consumers (AWS principals) can access the endpoint service.
`acceptanceRequired` will ensure that connection requests from service consumers are manually accepted before establishing the PrivateLink connection with them.
`allowedPrincipals` will allow specific AWS principals to create an interface VPC endpoint to connect to the endpoint service.
new VpcEndpointService(scope, “VPCEndpointService“, { |
2. In the consumer’s account
Create an interface endpoint with a security group. The security group will allow only the required port access from the host network CIDR. Custom R53 private Hosted zone will route traffic to the Interface endpoint.
//Interface Endpoint security group |
createInterfaceEndpointSG() { |
createInterfaceEndpoint() { |
createInterfaceEndpointHostedZone() { |
Conclusion
The AWS PrivateLink service makes it easy to establish connectivity between VPC to VPC within the same AWS accounts or cross-accounts, including those that have overlapping IP address ranges. It allows for the publishing of an API or application endpoint in a private subnet and sharing them with other AWS customers. It provides private access to services hosted on the AWS network in a highly available and scalable manner, without using public IPs and without requiring the traffic to traverse through the public internet. The pricing page of AWS privateLink provides all information about service charges and billing.
Learn about how to connect to AWS services powered by PrivateLink over a private network in my latest blog – Access AWS services over a private network using AWS PrivateLink.