Q: What is AWS PrivateLink?
A: AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can privately access services powered by PrivateLink from their Amazon Virtual Private Cloud (VPC) or their on-premises, without using public IPs, and without requiring traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services in order to provide their services to other AWS customers.
Q: How can I use PrivateLink?
A: As a service user, you will need to create interface type VPC endpoints for services that are powered by PrivateLink. These service endpoints will appear as Elastic Network Interfaces (ENIs) with private IPs in your VPCs. Once these endpoints are created, any traffic destined to these IPs will get privately routed to the corresponding AWS services.
As a service owner, you can onboard your service to AWS PrivateLink by establishing a Network Load Balancer (NLB) to front your service and create a PrivateLink service to register with the NLB. Your customers will be able to establish endpoints within their VPC to connect to your service after you whitelisted their accounts and IAM roles.
Q: Is PrivateLink enabled by a specific type of endpoint?
A: VPC endpoints enable you to privately connect your VPC to services hosted on AWS without requiring an Internet gateway, a NAT device, VPN, or firewall proxies. Endpoints are horizontally scalable and highly available virtual devices that allow communication between instances in your VPC and AWS services. Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints.
Interface type endpoints provide private connectivity to services powered by PrivateLink. These services may be AWS services, your own services or SaaS solutions. Interface type endpoints also support connectivity over Direct Connect. Please refer to VPC Pricing for the price of interface type endpoints.
Gateway type endpoints are available only for AWS services including S3 and DynamoDB, and cannot enable PrivateLink. These endpoints will add an entry to the route table you select and route the traffic to the supported services through Amazon’s private network.
Q: What are the benefits of using a VPC endpoint with AWS PrivateLink?
A: VPC endpoints provide secure access to a specific service, with several benefits to the end user:
- VPC endpoints provide access to a specific service without the need of using any other gateways – no need to use an Internet gateway, a NAT gateway, a VPN connection, or a VPC peering connection, reducing the risks of exposing your resources to the Internet or to other outside networks.
- Your traffic remains within Amazon's private network, reducing the risks of exposing your traffic to the Internet.
- When accessing Amazon services over VPC endpoints, you can restrict the access through a VPC endpoint to specific users, actions, and/or resources.
- You can limit access to resources provided by an Amazon service to traffic originating from a specific VPC or through a specific VPC endpoint.
Q: Can I privately access services powered by AWS PrivateLink over AWS Direct Connect?
A: Yes. The application in your premises can connect to the service endpoints in Amazon VPC over AWS Direct Connect. The service endpoints will automatically direct the traffic to AWS services powered by AWS PrivateLink.
Q: How do I discover which services are available today?
A: You can search for available services using the VPC console or the AWS CLI/SDK. Then you can request access to a service by creating a VPC endpoint and begin using it.
Q: How will I be charged and billed for my use of AWS PrivateLink?
A: The pricing schedule for PrivateLink has information about charges and billing: https://aws.amazon.com/privatelink/pricing/. If you choose to create an Interface type VPC endpoint in your VPC, you are charged for each hour that your VPC endpoint is provisioned in each Availability Zone. Data processing charges apply for each Gigabyte processed through the VPC endpoint regardless of the traffic’s source or destination. Each partial VPC endpoint-hour consumed is billed as a full hour. If you no longer wish to be charged for a VPC endpoint, delete your VPC endpoints using the AWS Management Console, command line interface (CLI), or API.
Q: Who pays the data transfer costs for the traffic going via the interface-based VPC endpoint?
The concept of data transfer costs is similar to that of data transfer costs for EC2 instances. Since an interface-based VPC endpoint is an ENI in the subnet, data transfer charges depend on the source of the traffic. If the traffic to this interface is coming from a resource across AZ, EC2 cross-AZ data transfer charges apply to the consumer end. Customers in the consumer VPC can use AZ-specific DNS endpoint to make sure the traffic stays within the same AZ if they have provisioned each AZ available in their account.
Q: How scalable is AWS PrivateLink?
A: While VPC peering is limited to 125 VPC connections, AWS PrivateLink has virtually unlimited scale. Each VPC endpoint connects an EC2 instance to a specific AWS or AWS-based service. You can add as many endpoints as you need, depending on the number of VPCs and services that you need to connect to. There is no cost to the number of endpoints you are deploying for PrivateLink.
Q: How many VPC endpoints can I create in a single VPC?
A: You can create up to 100 VPC endpoints per VPC. If you need more than this, contact us and we will work on a solution with you.
Q: How do I use AWS PrivateLink and VPC endpoints to acccess a service?
A: You can create a VPC endpoint in your VPC and specify the service you want to use. The VPC endpoint has a DNS name that resolves to local IP addresses in your VPC. When you route traffic to this DNS name, the traffic is routed through the VPC endpoint and to the service.
Q: How much bandwidth can I use through a VPC endpoint?
A: Each VPC endpoint can support 10Gbps continuous bandwidth per Availability Zone by default, after which additional capacity will be added automatically based on your usage. Endpoint scaling is fully-managed to ensure that traffic to your endpoint is not affected.
Q: Can I connect multiple services to a single VPC endpoint?
A: No. A VPC endpoint connects directly to a single service. You can however create new VPC endpoints to connect the EC2 instance to other services and the number of VPC endpoints that you can create is not limited. There is no cost to creating additional VPC endpoints.
Q: Since VPC endpoints have their own DNS names, do I need to update my code to start using VPC endpoints?
A: If you are using the latest version of AWS CLI/SDK, you do not need to update your code. The CLI/SDK will automatically discover your VPC endpoints and use them by default. If you are using old version CLI/SDKs, you will need to specify the DNS name as the endpoint parameter in the CLI/SDK. If you need to specify the endpoint, you can discover the DNS name by querying the EC2 metadata service.
Q: Can I use a service’s public endpoint (DNS name) to access my VPC endpoints?
A: No, we may support this in future updates but currently only support private endpoint names.
Q: Can I access VPC endpoints from my on-premises network over Direct Connect?
A: Yes, you can access VPC endpoints over Direct Connect. A VPC endpoint’s DNS records are publicly resolvable, but will return the private IP address within the associated VPC.
Security and filtering
Q: How secure is an AWS PrivateLink connection?
A: The security of AWS PrivateLink relies on three factors: the path, the policies, and mode of communication.
The path between a VPC endpoint and an AWS or AWS-based service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches.
When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come from the VPC or the VPC endpoint.
PrivateLink does not provide any encryption by default for data in transit. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to allowlisted customers.
Q: Can I associate security groups with VPC endpoints?
A. Yes. You can associate security groups with VPC endpoints.
Q: Can I use the AWS Management Console to control and manage AWS PrivateLink?
A: Yes. You can use the AWS Management Console to manage Amazon VPC objects such as VPC endpoints and AWS PrivateLink connections.
Q: What Amazon CloudWatch metrics are available for the interface-based VPC Endpoint?
A: Currently, no Amazon CloudWatch metric is available for the interface-based VPC Endpoint.