Professional Documents
Culture Documents
Making Privatelink The New Normal: Nick Matthews, Principal Solutions Architect
Making Privatelink The New Normal: Nick Matthews, Principal Solutions Architect
@nickpowpow
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoint Introduction
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Public Access to Amazon S3
Without Endpoints:
Enter:
VPC Endpoint • Instances need
public connectivity
• Security groups
required to block
outside access
• Mindset that
customers are
traversing the
public internet
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoints for Amazon S3
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoints for Amazon S3
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoints for Amazon S3
IAM Policy at S3 Bucket: Make
accessible from VPC Endpoint only
Restricting Access to
Amazon S3:
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoints for Amazon S3
Other services like Amazon DynamoDB
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Introducing PrivateLink for AWS Services
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Introducing PrivateLink for AWS Services
ec2.eu-west-1.amazonaws.com
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS PrivateLink
How it works
Type: Gateway
Type: Interface
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
And now AWS PrivateLink
for service providers
NLB
Customer VPC
Service Provider VPC
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
And now AWS PrivateLink
for service providers
NLB
Customer VPC
Service Provider VPC
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
PrivateLink – How it Works
172.16.0.0/16
Availability Zone Availability Zone
172.16.1.0/24 172.16.2.0/24
Access is unidirectional
API API
172.16.1.9 172.16.2.41
One IP Address for each
10.1.0.0/16 Availability Zone
Network Load Balancer
10.1.1.127 10.1.2.35
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
PrivateLink – How it Works
172.16.0.0/16
Availability Zone Availability Zone
DNS names are created:
• 1 FQDN for all IP
Support for overlapping IP 172.16.1.0/24 172.16.2.0/24
addresses
address ranges API API
• Multiple FQDNs, one for
each Availability Zone
172.16.1.9 172.16.2.41
10.1.0.0/16 10.1.0.0/16
172.16.1.9 172.16.2.41
10.1.0.0/16 10.1.0.0/16
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Enhancement for Marketplace Services: Vanity DNS Names
VPC Endpoint ID
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS Marketplace Integration
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
PrivateLink Use Cases
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Customer Account
Shared Services:
• Security Services
• Logging
• Monitoring
Application VPC Peering • DevOps tools
Shared Services
• Authentication
Internet
Gateway
Amazon Services:
• Amazon EC2
AWS Direct Connect • Amazon S3
• ELB
Amazon EC2 API • Amazon SSM
Internet • etc.
Partner Services:
• SaaS
Firewall • API services
• Managed services
• Marketplace
Without PrivateLink Partner Services
offerings
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Customer Account
Shared Services:
Network
Interfaces • Security Services
• Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Amazon Services:
PrivateLink • Amazon EC2
AWS Direct Connect • Amazon S3
• ELB
Amazon EC2 API • Amazon SSM
• etc.
Network
Interfaces Partner Services:
• SaaS
• API services
Endpoint VPC • Managed services
• Marketplace
With PrivateLink Partner Services
offerings
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Customer Account
Shared Services:
Network
Interfaces • Security Services
• Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Shared Services:
Network
Interfaces • Security Services
2 • Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Amazon Services:
• Amazon EC2
AWS Services PrivateLink
AWS Direct Connect
PrivateLink
• Amazon S3
Benefits: • ELB
• Access AWS services without internet Amazon EC2 API • Amazon SSM
access • etc.
Requirements: Network
• The AWS service must provide an
Interfaces Partner Services:
• SaaS
endpoint (EC2, SSM, ELB, Kinesis,
• API services
KMS, SNS, Service Catalog, etc.)
Endpoint VPC • Managed services
• Marketplace
With PrivateLink Partner Services
offerings
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Customer Account
Shared Services:
Network
Interfaces Partner Services PrivateLink • Security Services
3 Benefits:
• Logging
• Monitoring
PrivateLink • No internet access required, ideal for security-
• DevOps tools
Application
related services
Shared Services
• Authentication
• Reduce the scope of internet access for services
Requirements:
Amazon Services:
• Service providers must have •PrivateLink
Amazon EC2 enabled,
AWS Direct Connect AWS may need to help the partner
• Amazon S3
• Customer and provider must• use the same
Amazon ELB
Region Amazon EC2 API • Amazon SSM
• etc.
Network
Interfaces Partner Services:
• SaaS
• API services
Endpoint VPC • Managed services
• Marketplace
With PrivateLink Partner Services
offerings
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
On-premises to AWS PrivateLink
Benefits:
Customer Account
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Designing Endpoints with Network Load Balancer
• Private Link is natively available within the same AWS Region, how
do you handle global connectivity?
• AWS Direct Connect gateway may help, inter-region peering is
currently incompatible.
• Resources like databases or logging servers may not be compatible
with load balancing
• May require an NLB per resource
• Application Load Balancer is not currently supported
• Front the service with NLB in front of ALB
https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-
application-load-balancers/
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Designing Endpoints– Protocols
• The NLB network interface is not routable, doesn’t work for routers,
firewalls, proxies, etc.
• Transit VPC or other approaches more suitable
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
What Are Good Candidate PrivateLink Services?
• APIs, microservices
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Final Thoughts
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS PrivateLink—Service User
Interface Endpoints
Application 1
Services DNS Name on the Endpoints
• Publicly Resolvable Regional and Zonal DNS
name that maps to the local IP of the endpoints
• NLB Health Check Aware
AWS Direct Endpoints to your own
Connect services
Amazon VPC
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
The World with AWS PrivateLink
AWS Direct
Connect
Application 2
Amazon Sample Partner
Elastic Load Amazon EC2
Corporate data center Kinesis SaaS Solutions
Balancing API Systems Manager
Streams
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Use Cases
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
AWS PrivateLink Benefits
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Benefits of AWS PrivateLink
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Benefits of AWS PrivateLink
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Benefits of AWS PrivateLink
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
Thank you!
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.