AWS - VPC - VPC endpoint
VPC endpoint
Example
without VPC endpoint
workflow:
- the EC2 instance is in a public subnet, has access to the internet
- the EC2 instance can reach the AWS S3 URL to copy the file from the S3 bucket
S3 access from a private subnet doesn’t work, because:
- the EC2 instance is in a private subnet
- has no internet access
- can’t reach the AWS S3 URL, and the request will time out
with S3 VPC endpoint
- provides a way for an S3 request to be routed through to the Amazon S3 service, without having to connect a subnet to an internet gateway.
- S3 VPC endpoint is what’s known as a gateway endpoint. It works by adding an entry to the route table of a subnet, forwarding S3 traffic to the S3 VPC endpoint.
- have a route for requests with a destination s3.eu-west-1.amazonaws.com to target the VPC endpoint. Therefore any S3 requests will be routed through to S3.
basic
- a virtual device
- horizontally scaled, redundant, and highly available VPC components.
They allow communication between instances in your VPC and services without imposing availability risks.
- use When a private instance needs to access a supported AWS public services without leaving the AWS network
By default, IAM users do not have permission to work with endpoints.
- create an IAM user policy that grants users the permissions to create, modify, describe, and delete endpoints.
3 types of VPC endpoints
- a PrivateLink connection
- connects an AWS public service to a VPC using a private connection.
Interface endpoint
a logical networking component in a VPC
- A VPC interface endpoint is an elastic network interface
- represents a virtual network card with a
private IP addressfrom the IP address range of your subnet. - use DNS names to resolve requests to a public AWS service.
- It serves as an entry point for traffic destined to a supported AWS/VPC endpoint service
- represents a virtual network card with a
- Interface endpoints are powered by AWS PrivateLink
- AWS PrivateLink
- a technology that enables you to privately access services by using private IP addresses.
- connect to services that are powered by AWS PrivateLink
- These services include:
- some AWS services,
- services that are hosted by other AWS customers and AWS Partner Network (APN) Partners in their own VPCs (referred to as endpoint services),
- and supported AWS Marketplace APN Partner services.
- AWS PrivateLink
service provider: The owner of the service
- service consumer: you, the principal who creates the interface endpoint
- You are charged for creating and using an interface endpoint to a service.
- Hourly usage rates and data processing rates apply.
Gateway endpoints:
a gateway specify as a target for a specified route in route table, used for traffic destined to a supported AWS service.
- no additional charge.
- Standard charges for data transfer and resource usage apply.
- Gateway endpoints are only available for:
- Amazon DyanmoDB
- Amazon S3
- use case:
- When a private instance needs to access a supported AWS public services such as DynamoDB or S3 without leaving the AWS network
Gateway Load Balancer endpoints
an elastic network interface with a private IP addressfrom the IP address range of your subnet
- It serves as an entry point to intercept traffic and route it to a service configured using Gateway Load Balancers
- for example, for security inspection.
- Gateway Load Balancer endpoints are powered by AWS PrivateLink.
- provides private connectivity between virtual appliances in service provider VPC and application servers in service consumer VPC
- deploy the Gateway Load Balancer in the same VPC as the virtual appliances.
- register the virtual appliances with a target group for the Gateway Load Balancer.
- specify a Gateway Load Balancer endpoint as a target for a route in a route table.
- Traffic to and from a Gateway Load Balancer endpoint is configured using route tables.
- Traffic flows
- from the service consumer VPC over the Gateway Load Balancer endpoint
- to the Gateway Load Balancer in the service provider VPC,
- and then returns to the service consumer VPC.
- create the Gateway Load Balancer endpoint and the application servers in different subnets.
- This enables you to configure the Gateway Load Balancer endpoint as the next hop in the route table for the application subnet.
- Traffic flows
- Gateway Load Balancer endpoints are supported for endpoint services that are configured for Gateway Load Balancers only.
AWS PrivateLink
- a PrivateLink connection
connects an AWS public service to a VPC using a private connection
- privately access services by using private IP addresses.
- privately connect VPC to
- supported AWS services
- services hosted by other AWS accounts (VPC endpoint services)
- supported AWS Marketplace partner services.
- that are powered by AWS PrivateLink
- An Interface for endpoint to uses AWS PrivateLink
- an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supported service
- connectionn from instances in VPC to the services
- does not require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
- Instances in the VPC do not require public IP addresses to communicate with resources in the service.
- Traffic between the VPC and the other service does not leave the Amazon network
- connectionn from instances in VPC to the services
- privately connect VPC to
AWS PrivateLink access over Inter-Region VPC Peering:
AWS PrivateLink
- Applications in an AWS VPC can securely access AWS PrivateLink endpoints across AWS Regions using Inter-Region VPC Peering
- privately access services hosted on AWS in a highly available and scalable manner,
- without using public IPs or let traffic traverse the Internet.
- Traffic using Inter-Region VPC Peering stays on the global AWS backbone and never traverses the public Internet.
- privately connect to a service even if the service endpoint resides in a different AWS Region.
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.