AWS PrivateLink: Connecting AWS Customers Using the AWS Network
In this article
Considering the wealth of published content and the combined AWS experience and wisdom of an organization's employees, I can convince myself that every organization has a complete understanding of each service available within AWS. This is, however, a falsehood as AWS is unceasingly adding new services and new capabilities to existing services. And it's an immense challenge to understand how best to meld AWS services in such a way as to solve the business challenges that one faces. Sometimes, the best solution to a business problem requires a complex architecture with potentially dozens of AWS services. There are also times when a single AWS service can provide incredible benefits.
Let me provide a recent example based on a recent, semi-fictitious exchange:
- Customer: "I need you to help build a site-to-site VPN from my AWS VPC to a partner of mine, who is also on AWS."
- Me: "Do your resources reside in the same AWS region?"
- Customer: "Yes."
- Me: "What do you need to access in the partner account?"
- Customer: "I need to read data from a single host using a single port."
- Me: "Have you and this partner considered using AWS PrivateLink instead of a site-to-site VPN?"
- Customer: "AWS PrivateWhat?"
What is AWS PrivateLink?
Is establishing an AWS Site-to-Site VPN the best and most efficient way for this customer to connect to their partner? Is AWS PrivateLink a better solution? What is PrivateLink?
Before we define what AWS PrivateLink is as a service, we must first define the (2) entities involved in EVERY AWS PrivateLink connection: Service Providers and Service Consumers. Service Providers are those organizations responsible for offering a service. Service Consumers consume the services offered by the service provider.
AWS PrivateLink enables service consumers to privately and securely access endpoint services offered by service providers using the AWS global backbone network as opposed to the public internet.
Before the availability of AWS PrivateLink, building site-to-site (or VPC-to-VPC) VPN connections was a method by which an organization could share services and resources with their customers or partners. However, as consumer demand for a service or resource increases, building a multitude of VPN tunnels to support such demand quickly becomes untenable.
For the use case I'm detailing here, service consumers required connectivity to the service provider to read data from a specific instance on a specific port. Why would a service provider desire to provide its service by implementing and managing potentially hundreds or thousands of VPN connections?
AWS PrivateLink provided the means to easily address increasing demand while also alleviating the difficulty of managing static VPN connections. Though initially hesitant, because site-to-site VPN connections are "how we've always provided partners access to this resource", the service provider ultimately agreed to a PrivateLink POC (proof of concept).
Setting up an AWS PrivateLink connection
Because AWS PrivateLink is a solution new to both parties, I had the privilege to work with both the service provider and the service consumer. The proposed architecture was practically identical to that shown below, taken from the AWS PrivateLink white paper:
Earlier in the article, I stated that there are (2) entities involved in EVERY AWS PrivateLink connection, the service providers and service consumers. I wanted to repeat that because there are configuration tasks to be completed on both sides of a PrivateLink connection.
On the service provider side:
PrivateLink services are made available through either a Network Load Balancer or a Gateway Load Balancer. Thus the service provider must set up and test an NLB or GLB to front-end the relevant resources prior to offering a PrivateLink endpoint service. Once the load balancer has been tested and validated, the PrivateLink service endpoint is created. The service endpoint is then shared with allowed principles such as AWS Account IDs, IAM Users and IAM Roles, and its Service Name is shared with the service consumer.
On the service consumer side:
The service consumer creates a VPC endpoint to connect to the AWS Service Name provided by the service provider.
This is great, but is it really going to work?
Some of my most cherished memories throughout my career are those moments when I see my customers have an eye-opening experience. I didn't anticipate it at the time, but I was about to have another such experience while testing the PrivateLink connection. Remember the initially hesitant service provider? Once the tests were successfully completed, and the service provider realized that setting up VPN connections to support connectivity to their service could be a thing of the past, I received a "Wow!" over our chat session.
AWS PrivateLink delivered on its promise for this customer. Not only did it enable private connectivity using the AWS global network, but PrivateLink also simplified network management by eliminating the need to set up site-to-site VPN connections, and provided scalability benefits inherent to AWS Network Load Balancers that will be essential for this service provider as PrivateLink is introduced to more customers.
How can we help you?
Our mission is to partner with our customers and enable them to achieve their goals by simplifying the complex tasks of designing and deploying reliable, scalable and secure environments. If your organization is facing a daunting challenge, contact us. We would be pleased to partner with your team as you look to address and overcome the challenges you are faced with today and into the future.