Making Privatelink The New Normal: Nick Matthews, Principal Solutions Architect

Making PrivateLink
The New Normal

May 2018
Nick Matthews, Principal Solutions Architect
@nickpowpow
© 2018, Amazon Web Services, Inc. or Its Affiliates. All rights reserved.
VPC Endpoint Introduction
Public Access to Amazon S3
Without Endpoints:
Enter:
VPC Endpoint • Instances need
public connectivity
• Security groups
required to block
outside access
• Mindset that
customers are
traversing the
public internet
VPC Endpoints for Amazon S3
We no longer need the

following for Amazon
S3 access:
• Public addresses
per instance
• Default routes
pointing to an
internet gateway
• NAT Instances
• Or even an internet
gateway!
After the VPCE is created:

• ”Prefix-List” entries are
needed for each route
table.
• Now all traffic for the
PL-XXX destinations will
traverse the VPCE
instead of the internet
gateway.
IAM Policy at S3 Bucket: Make
accessible from VPC Endpoint only
Restricting Access to
Amazon S3:
IAM Policy at VPC • IAM Policy at VPC

Endpoint: Restrict actions Endpoints restricting
of VPC in Amazon S3 access
• IAM Policy at S3
bucket restricting
access
Other services like Amazon DynamoDB
Introducing PrivateLink for AWS Services
• API Endpoints for Amazon EC2

and Elastic Load Balancing (ELB) AWS PrivateLink:
Amazon DynamoDB • Amazon Kinesis Streams
• AWS Service Catalog • PrivateLink is a way to
Amazon S3
• No Route Table • Amazon EC2 Systems Manager reach additional public
• … and more services, privately from
update required your VPC
• Each PrivateLink VPCE
consists of multiple
network interfaces, using
IP addresses from the
assigned subnets
Introducing PrivateLink for AWS Services
• API Endpoints for Amazon EC2

and Elastic Load Balancing (ELB) AWS PrivateLink:
Amazon DynamoDB • Amazon Kinesis Streams
• AWS Service Catalog • PrivateLink is a way to
Amazon S3
• No Route Table • Amazon EC2 Systems Manager reach additional public
• … and more services, privately from
update required your VPC
• Each PrivateLink VPCE
consists of multiple
network interfaces, using
IP addresses from the
assigned subnets
ec2.eu-west-1.amazonaws.com
AWS PrivateLink
How it works
Type: Gateway
Type: Interface
And now AWS PrivateLink
for service providers
Application, e.g. SaaS
NLB
Customer VPC
Service Provider VPC
And now AWS PrivateLink
for service providers
Application, e.g. SaaS
NLB
Customer VPC
Service Provider VPC
VPC Endpoint: vpce-2222.foo.amazon.com
PrivateLink – How it Works
172.16.0.0/16
Availability Zone Availability Zone
172.16.1.0/24 172.16.2.0/24
Access is unidirectional
API API
172.16.1.9 172.16.2.41
One IP Address for each
10.1.0.0/16 Availability Zone
Network Load Balancer
10.1.1.127 10.1.2.35
10.1.1.0/24 10.1.2.0/24 The endpoint is a local IP address

PrivateLink – How it Works
172.16.0.0/16
DNS names are created:
• 1 FQDN for all IP
Support for overlapping IP 172.16.1.0/24 172.16.2.0/24
addresses
address ranges API API
• Multiple FQDNs, one for
each Availability Zone
172.16.1.9 172.16.2.41
10.1.0.0/16 10.1.0.0/16
10.1.1.127 10.1.2.35 10.1.1.162 10.1.2.22

…thousands
10.1.1.0/24 10.1.2.0/24 10.1.1.0/24 10.1.2.0/24
Availability Zone Availability Zone Availability Zone Availability Zone
VPC Endpoint: vpce-xxxx.vpce-svc-xxxx.us-east-

2.vpce.amazonaws.com
Amazon Route 53
PrivateLink – How it Works Private Hosted Zone
172.16.0.0/16
CNAME api.example.com
172.16.1.0/24 172.16.2.0/24 --> ALIAS vpce-xxxx.vpce-svc-

xxxx.us-east-2.vpce.amazonaws.com
API API
172.16.1.9 172.16.2.41
10.1.0.0/16 10.1.0.0/16
10.1.1.127 10.1.2.35 10.1.1.162 10.1.2.22

…thousands
Private Hosted
10.1.1.0/24 10.1.2.0/24 Zone 10.1.1.0/24 10.1.2.0/24
Availability Zone Availability Zone Association Availability Zone Availability Zone
VPC Endpoint: vpce-xxxx.vpce-svc-xxxx.us-east-

VPC Endpoint: api.example.com
2.vpce.amazonaws.com
Enhancement for Marketplace Services: Vanity DNS Names
Service Base DNS Name

vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Service ID Region Sub Domain
Endpoints DNS Name on Client Side

vpce-12345.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
vpce-67890.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
VPC Endpoint ID
Enhancement for Marketplace Services: Vanity DNS Names
Service Vanity DNS Name Easier Recognition of

us-east-1.vpce.myexample.com Service Endpoints
Region Sub Domain Straight-forward TLS

Endpoints DNS Name on Client Side Termination
vpce-12345.us-east-1.vpce.myexample.com
vpce-67890.us-east-1.vpce.myexample.com
VPC Endpoint ID
AWS Marketplace Integration
Discoverability of the services when

customers purchase SaaS on AWS
Marketplace
PrivateLink Use Cases
Customer Account
Shared Services:
• Security Services
• Logging
• Monitoring
Application VPC Peering • DevOps tools
Shared Services
• Authentication
Internet
Gateway
Amazon Services:
• Amazon EC2
AWS Direct Connect • Amazon S3
• ELB
Amazon EC2 API • Amazon SSM
Internet • etc.
Partner Services:
• SaaS
Firewall • API services
• Managed services
• Marketplace
Without PrivateLink Partner Services
offerings
Customer Account
Shared Services:
Network
Interfaces • Security Services
• Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Amazon Services:
PrivateLink • Amazon EC2
AWS Direct Connect • Amazon S3
• ELB
Amazon EC2 API • Amazon SSM
• etc.
Network
Interfaces Partner Services:
• SaaS
• API services
Endpoint VPC • Managed services
• Marketplace
With PrivateLink Partner Services
offerings
Customer Account
Shared Services:
Network
• Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Shared Services PrivateLink Amazon Services:

Benefits: PrivateLink
AWS Direct Connect
1 • Amazon EC2
• More scalable than VPC peering, thousands versus • Amazon S3
100 • ELB
• More granular application access, EC2 API to full • Amazon SSM
compared
Amazon
• etc.
VPC access
Network
• Support for overlapping VPC CIDR ranges
Requirements: • SaaS
• Service must be compatible with NLB • API services
• Marketplace
offerings
Customer Account
Shared Services:
Network
2 • Logging
• Monitoring
PrivateLink
Application
• DevOps tools
Shared Services
• Authentication
Amazon Services:
• Amazon EC2
AWS Services PrivateLink
AWS Direct Connect
PrivateLink
• Amazon S3
Benefits: • ELB
• Access AWS services without internet Amazon EC2 API • Amazon SSM
access • etc.
Requirements: Network
• The AWS service must provide an
• SaaS
endpoint (EC2, SSM, ELB, Kinesis,
• API services
KMS, SNS, Service Catalog, etc.)
• Marketplace
offerings
Customer Account
Shared Services:
Network
Interfaces Partner Services PrivateLink • Security Services
3 Benefits:
• Logging
• Monitoring
PrivateLink • No internet access required, ideal for security-
• DevOps tools
Application
related services
Shared Services
• Authentication
• Reduce the scope of internet access for services
Requirements:
Amazon Services:
• Service providers must have •PrivateLink
Amazon EC2 enabled,
AWS Direct Connect AWS may need to help the partner
• Amazon S3
• Customer and provider must• use the same
Amazon ELB
Region Amazon EC2 API • Amazon SSM
• etc.
Network
• SaaS
• API services
• Marketplace
offerings
On-premises to AWS PrivateLink
Benefits:
Customer Account
• Allows on-premises customers to access services

Shared Services:
Network
Interfaces in a secure and scalable design • Security Services
• Send sensitive information over private • Logging
• Monitoring
PrivateLink connectivity
• DevOps tools
Application
• Service providers Shared
have an easily repeatable
Services
• Authentication
pattern
• The service target can also be on-premises
4 Requirements: Amazon Services:
• Amazon EC2
• Service must be compatible with NLB
PrivateLink
• Amazon S3
AWS Direct Connect
• Customer or service provider must •have an AWS
Amazon ELB
Direct Connect Amazon
port EC2 API • Amazon SSM
• etc.
Network
• SaaS
• API services
• Marketplace
offerings
PrivateLink Design Alternatives
Designing Endpoints with Network Load Balancer
• Private Link is natively available within the same AWS Region, how
do you handle global connectivity?
• AWS Direct Connect gateway may help, inter-region peering is
currently incompatible.
• Resources like databases or logging servers may not be compatible
with load balancing
• May require an NLB per resource
• Application Load Balancer is not currently supported
• Front the service with NLB in front of ALB
https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-
application-load-balancers/
Designing Endpoints– Protocols
• Provided services cannot initiate new connections

• Use VPC peering
• Provided services must be TCP, no SSL offload

• SSL offload can use the ALB-behind-NLB model
• The NLB network interface is not routable, doesn’t work for routers,
firewalls, proxies, etc.
• Transit VPC or other approaches more suitable
What Are Good Candidate PrivateLink Services?
• APIs, microservices
• Multi-tenant TCP services
• Anything currently behind Elastic Load Balancing useful to multiple

VPCs
• Services that process sensitive data
• Sharing services in sensitive environments
Final Thoughts
AWS PrivateLink—Service User
Interface Endpoints
Local IP, No Route Table Entry

Can Span Multiple Availability Zones
Endpoints to AWS
Application 1
Services DNS Name on the Endpoints
• Publicly Resolvable Regional and Zonal DNS
name that maps to the local IP of the endpoints
• NLB Health Check Aware
AWS Direct Endpoints to your own
Connect services
Security Group Integration

Application 2
Endpoints to AWS partner
Accessible over AWS Direct Connect
services
Amazon VPC
The World with AWS PrivateLink
Application 1 Amazon AWS Your Own

EC2 API Service Catalog Service in
Another VPC
AWS Direct
Connect
Application 2
Amazon Sample Partner
Elastic Load Amazon EC2
Corporate data center Kinesis SaaS Solutions
Balancing API Systems Manager
Streams
Amazon Virtual Private Cloud
Use Cases
Centralized internal services such

as logging, monitoring, and
workloads serving various VPCs
Microservices and APIs, container

systems
SaaS services with customer

applications in other VPCs and on-
premises networks
AWS PrivateLink Benefits
AWS PrivateLink enables customers to use one set of

services across on-premises networks and Amazon VPCs
Benefits of AWS PrivateLink
AWS PrivateLink is highly reliable and horizontally scalable

on the service and client side
AWS PrivateLink reduces operational overhead.

Support for overlapping addresses and reduced management points.
AWS PrivateLink is a secure model. The service owner is only

exposing a service concept and the connection is always
initiated by the service user. Users do not need to configure
internet connectivity.
Thank you!

Making Privatelink The New Normal: Nick Matthews, Principal Solutions Architect

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Making Privatelink The New Normal: Nick Matthews, Principal Solutions Architect

Uploaded by

Copyright:

Available Formats

Making PrivateLink

The New Normal

Nick Matthews, Principal Solutions Architect

We no longer need the

After the VPCE is created:

IAM Policy at VPC • IAM Policy at VPC

• API Endpoints for Amazon EC2

• API Endpoints for Amazon EC2

Application, e.g. SaaS

Application, e.g. SaaS

VPC Endpoint: vpce-2222.foo.amazon.com

10.1.1.0/24 10.1.2.0/24 The endpoint is a local IP address

10.1.1.127 10.1.2.35 10.1.1.162 10.1.2.22

VPC Endpoint: vpce-xxxx.vpce-svc-xxxx.us-east-

172.16.1.0/24 172.16.2.0/24 --> ALIAS vpce-xxxx.vpce-svc-

10.1.1.127 10.1.2.35 10.1.1.162 10.1.2.22

VPC Endpoint: vpce-xxxx.vpce-svc-xxxx.us-east-

Service Base DNS Name

Endpoints DNS Name on Client Side

Service Vanity DNS Name Easier Recognition of

Region Sub Domain Straight-forward TLS

Discoverability of the services when

Shared Services PrivateLink Amazon Services:

• Allows on-premises customers to access services

• Provided services cannot initiate new connections

• Provided services must be TCP, no SSL offload

• Multi-tenant TCP services

• Anything currently behind Elastic Load Balancing useful to multiple

• Services that process sensitive data

• Sharing services in sensitive environments

Local IP, No Route Table Entry

Security Group Integration

Application 1 Amazon AWS Your Own

Amazon Virtual Private Cloud

Centralized internal services such

Microservices and APIs, container

SaaS services with customer

AWS PrivateLink enables customers to use one set of

AWS PrivateLink is highly reliable and horizontally scalable

AWS PrivateLink reduces operational overhead.

AWS PrivateLink is a secure model. The service owner is only

You might also like