Introducing AWS Outposts private connectivity

Today, we are excited to announce the availability of AWS Outposts private connectivity. Up until today, the service link endpoints in the region for each AWS Outposts deployment were in the public AWS realm of a customer’s chosen region and could be connected to by either the public internet or an AWS Direct Connect (DX) public virtual interface (VIF).

Previously, using AWS Outposts public service link connectivity meant that customers needed to enable a connection from the AWS Outposts rack out through their edge routers and firewalls to the service link public endpoint IPs. The service link is important as it is a group of encrypted tunnels that are used for carrying management traffic and your intra Amazon VPC traffic between your chosen AWS Region and AWS Outposts. Service link establishment is required before an Outpost can be used, and must be maintained in order for AWS Outposts to continue to operate.

For an overview of AWS Outposts network connectivity, including public service link access, see the AWS Outposts – Network Reference Architecture.

The new AWS Outposts service link private connectivity feature uses AWS Direct Connect, changing the endpoint for the service link from a public AWS endpoint to a set of private elastic network interfaces (ENIs) within an Amazon VPC deployed in your environment. This means that the service link connects from your AWS Outposts privately over a DX private VIF, and your Amazon VPC, to the private AWS Outposts service link endpoints in the Region.

Using a private VIF with your Virtual Private Gateway (VGW), and being attached to an Amazon VPC that you manage, allows you to connect privately to the Outposts service link endpoints without having to traverse the public internet. It additionally gives you the ability to use DX features to troubleshoot connectivity, such as Direct Connect Amazon CloudWatch metrics.

Using the AWS Outposts private connectivity option for the service link also removes the need for using large public allow-lists on your on-premises firewall edge, as the service link endpoints are in a VPC that you control, using private addresses that you have allocated to your Amazon VPC.

Figure 1. AWS Outposts private connectivity and the Virtual Private Gateway. Note for simplicity only one DX connection is shown. We recommend reviewing the DX resiliency recommendations to select a DX architecture that meets your availably requirements.

At the far right of Figure 1. is an AWS Outposts (A) installed at your premises with a service link connection (B) to the Outposts service endpoints (C) in the AWS region (D) on the far left. In the AWS region in this diagram, we’re using the VGW (E) attached to your Amazon VPC (F) that terminates a DX private VIF (G) and serves as a private endpoint for the service link connections in the Region for your AWS Outposts.

Note: At this point in time, we do not support VPN or AWS Transit Gateway for AWS Outposts private connectivity, you may however want to use an Amazon Direct Connect gateway if needed for cross-region DX access.

The DX private VIF is a private connection to your edge router in your chosen DX location and uses BGP to exchange routes. Your private Amazon VPC CIDR range is advertised through this BGP session to your edge router (10.2.0.0/16 in the Figure 1. example). Similarly, the /26 IP address range for the Outpost service link (10.5.0.0/26 in the Figure 1. example) is advertised to the region via BGP from your edge router.

Note: It is required that your service link endpoint VPC not use the range 10.1.0.0/16 for it’s Amazon VPC CIDR range, and that the Amazon VPC and subnet used be created in the same AWS account, Region, and Availability Zone as your AWS Outposts.

During provisioning of AWS Outposts, you will get the option to select private connectivity for the service link. Once you select the private connectivity option, AWS automatically creates a private connectivity endpoint and assigns private IPs to it from the VPC subnet’s CIDR that you have selected to use for the AWS Outposts private connectivity.  From then on, all service link traffic between your AWS Outposts rack and the AWS Outposts service endpoints in the Region will use your designated private connectivity.

For the service link private endpoint in your VPC, you can configure network ACLs (Access Control Lists) if needed, for the subnet that hosts the private service link endpoints. Traffic to this subnet can be restricted to TCP/UDP source/destination ports 443 as an example, see service link firewall requirements for more information on ACL configuration if needed.

Having a dedicated subnet for the private connectivity endpoint offers the advantage of a defining a single ACL to simplifying management and control of traffic related to the Outposts service link, and dedicating a VPC for the service link private endpoints can also help minimize any Outposts service interruptions from other configuration actions in the future.

Configuring Outpost private connectivity

The following tutorial guides you through deploying a new AWS Outposts with private connectivity

Prerequisites

To complete the walk through below, you will need:

a. A dedicated VPC and subnet (/25 or larger, must not conflict with 10.1.0.0/16) in the same AWS account and Availability Zone as your Outpost.

b. DX transport between the on-premises Outpost location and the AWS region with a Private VIF connection into the VPC.

c. Advertise the subnet CIDR to your on-premises network.

Create an Outpost

Start by configuring some environment variables, and then deploying the resources.

1. The selection for the private connectivity must be made when creating or provisioning your Outpost. To do this, simply select the private connectivity option.

2. Then select the VPC and the Subnet where AWS will automatically create private connectivity endpoints for connecting to the Outpost service. Outposts needs permission to create cross-account network interfaces and attach them to service link endpoint instances, so you have to allow us to create a new role to this.If you already have your AWS Outposts in operation through public connectivity, you can change it to private or vice versa by opening a support ticket.

3. On the service access details, you can see the all the configurations that will be applied your behalf.

4. Finally you will have access to the dashboard where you can view the Outposts summary as well as the connectivity type configured

A service role will be created in the process. You can view this through the IAM console, as shown in the following screenshot.

Conclusion

Now when your Outpost connects back to the associated AWS Region, it will use the private service link endpoints in a VPC of your choosing when establishing the AWS Outposts service link connection.

Private connectivity provides an additional option when public connectivity is not desired. The public connectivity option for the Outposts service link is still available and supported by AWS Outposts.

However, if limiting your on-premises access to public networks, and using an DX private VIF for AWS Outposts service link private connectivity is something that your organization needs, it is now supported by AWS Outposts!