AWS PrivateLink enables customers to access services and resources hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Users can privately access services and resources from their Amazon Virtual Private Cloud (VPC) or their on premises, without using public IPs, and without requiring traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services in order to provide their services to other AWS customers. Resource owners can share their resources directly without using Network Load Balancers.
As a user, you will need to create VPC endpoints (powered by PrivateLink) to access services and resources. These VPC endpoints will appear as Elastic Network Interfaces (ENIs) with private IPs in your VPCs. Once these endpoints are created, any traffic destined to these IPs will get privately routed to the corresponding services or resource.
As a service owner, you can onboard your service to AWS PrivateLink by establishing a Network Load Balancer (NLB) to front your service and create a PrivateLink service to register with the NLB. Your customers will be able to establish endpoints within their VPC to connect to your service after you allow-list their accounts and IAM roles.
VPC endpoints enable you to privately connect your VPC to services and resources hosted on AWS without requiring an Internet gateway, a NAT device, VPN, or firewall proxies. VPC endpoints are horizontally scalable and highly available virtual devices that allow communication between instances in your VPC and services/resources. Amazon VPC offers five different types of VPC endpoints: gateway endpoint, interface endpoints, gateway load balancer type endpoint, resource endpoint, and service network endpoint. All VPC endpoint types except gateway endpoint are powered by PrivateLink.
Interface endpoints provide private connectivity to services powered by PrivateLink. These services may be AWS services, your own services or SaaS solutions. Interface endpoints also support connectivity over AWS Direct Connect and VPN.
Gateway endpoints are available only for AWS services including Amazon S3 and Amazon DynamoDB, and don’t enable PrivateLink. These endpoints add an entry to the route table you select and route the traffic to the supported services through Amazon’s private network.
Gateway load balancer type endpoints provide private connectivity to appliances fronted by a Gateway Load Balancer.
Resource endpoints provide private connectivity to VPC resources such as databases, clusters, domain-name targets, and IP addresses, that don’t require load balancing. They support connectivity over AWS Direct Connect and VPN.
Service network endpoints allow you to privately connect to services and resources that are in a VPC Lattice service network. They let you access multiple services and resources through a single VPC endpoint. They also support connectivity over AWS Direct Connect and VPN. Please refer to AWS PrivateLink Pricing for the pricing of VPC endpoints.
VPC endpoints provide secure access to a specific service or resource, with several benefits to the end user:
Yes. The application in your premises can connect to VPC endpoints in Amazon VPC over AWS Direct Connect. The VPC endpoints will automatically direct the traffic to the services powered by AWS PrivateLink.
You can search for available services and resources using the VPC console or the AWS CLI/SDK. Then you can access a service, resource, or service network through VPC endpoints.
You can create a resource by defining a resource configuration in VPC Lattice. As a resource owner, you can onboard your resource to AWS PrivateLink by creating a resource configuration that has a list of resources. Your customers will be able to establish endpoints within their VPC to connect to your resource(s) after you share this resource configuration with their accounts using AWS Resource Access Manager (RAM).
Resource endpoints provide private connectivity to VPC resources such as databases, clusters, domain-name targets, and IP addresses, that don’t require load balancing. They support connectivity over AWS Direct Connect and VPN.
Service network endpoints allow you to privately connect to services and resources that are in a VPC Lattice service network. They let you access multiple services and resources through a single VPC endpoint. They also support connectivity over AWS Direct Connect and VPN. Please refer to VPC Pricing for the pricing of VPC endpoints.
The pricing schedule for PrivateLink has information about charges and billing. If you choose to create an interface or GWLB-type VPC endpoint in your VPC, you are charged for each hour that your VPC endpoint is provisioned in each Availability Zone. If you chose to create a resource type VPC endpoint in your VPC, you are charged for each hour regardless of the number of Availability Zones your VPC endpoint is provisioned in. Data processing charges apply for each gigabyte processed through the VPC endpoints, regardless of the traffic’s source or destination. Each partial VPC endpoint-hour consumed is billed as a full hour. If you no longer wish to be charged for a VPC endpoint, delete your VPC endpoints using the AWS Management Console, command line interface (CLI), or API.
Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax.
Learn more
While VPC peering is limited to 125 VPC connections, AWS PrivateLink has virtually unlimited scale. Each VPC endpoint connects EC2 instances in a VPC to a specific service, resource, or service network. You can add as many endpoints as you need, depending on the number of VPCs, resources, and services that you need to connect to.
A: You can create up to 100 VPC endpoints per VPC. If you need more than this, contact us and we will work on a solution with you.
You can create a VPC endpoint in your VPC and specify the service, resource, or service network you want to use. The VPC endpoint has DNS names that resolve to local IP addresses in your VPC. When you route traffic to these DNS names, the traffic is routed through the VPC endpoint to a service or resource, which can be across accounts.
Each VPC endpoint can support 10 Gbps continuous bandwidth per Availability Zone, by default, after which additional capacity is added automatically up to 100 Gbps. Endpoint scaling is fully managed to ensure that traffic to your endpoint is not affected.
A VPC endpoint of type “gateway,” “interface,” “gateway load balancer,” and “resource” connects to a single endpoint service or resource. VPC endpoint of type “service network” connects to a service network, which can be associated with multiple resources and VPC Lattice services.
If you are using the latest version of AWS CLI/SDK, you do not need to update your code. The CLI/SDK will automatically discover your VPC endpoints and use them by default. If you are using old version CLI/SDKs, you will need to specify the DNS name as the endpoint parameter in the CLI/SDK. If you need to specify the endpoint, you can discover the DNS name by querying the EC2 metadata service.
No, we may support this in future updates but currently only support private endpoint names.
Yes, you can access VPC endpoints over Direct Connect. A VPC endpoint's DNS records are publicly resolvable, but will return the private IP address within the associated VPC.
The security of AWS PrivateLink relies on three factors: the path, the policies, and mode of communication.
The path between a VPC endpoint and a service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches.
When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come to the VPC endpoint.
PrivateLink does not provide any encryption by default for data in transit. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to allowlisted customers.
Yes. You can associate security groups with VPC endpoints.
Yes. You can use the AWS Management Console to manage Amazon VPC objects such as VPC endpoints and AWS PrivateLink connections.
Yes. Click here for more information on AWS Support.
Amazon CloudWatch metrics are available for VPC endpoints of type “interface” and “gateway load balancer.”