Poshjoshs Blog

AWS VPC Endpoints and VPC Endpoint Services (AWS Private Link)

March 16, 2020

Acronyms

  • VPC - Virtual Private Cloud

VPC Endpoint Services (AWS Private Link)

You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service). Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC Endpoint. You are the service provider, and the AWS principals that create connections to your service are service consumers.

In the following diagram, the account owner of VPC B is a service provider, and has a service running on instances in subnet B. The owner of VPC B has a service endpoint (vpce-svc-1234) with an associated Network Load Balancer that points to the instances in subnet B as targets. Instances in subnet A of VPC A use an interface endpoint to access the services in subnet B.

Illustration of VPC Endpoint Service
VPC Endpoint Service
Illustration of VPC Endpoint Service. Source: docs.aws.amazon.com

For low latency and fault tolerance, we recommend using a Network Load Balancer with targets in every Availability Zone of the AWS Region. To help achieve high availability for service consumers that use zonal DNS hostnames to access the service, you can enable cross-zone load balancing. Cross-zone load balancing enables the load balancer to distribute traffic across the registered targets in all enabled Availability Zones. For more information, see Cross-Zone Load Balancing

In the following diagram, the owner of VPC B is the service provider, and it has configured a Network Load Balancer with targets in two different Availability Zones. The service consumer (VPC A) has created interface endpoints in the same two Availability Zones in their VPC. Requests to the service from instances in VPC A can use either interface endpoint.

Illustration of VPC Endpoint Service - Multi AZ
AWS - VPC Endpoint Service - Multi AZ
Illustration of VPC Endpoint Service - Multi AZ. Source: docs.aws.amazon.com

Considerations

  • Note that there is a charge for data transfer between Regions.
  • Note The AZ us-east-1a for your AWS account might not be the same location as us-east-1a for another AWS account. This is because, AWS ensures that resources are distributed across the AZs by independently mapping AZs to names for each AWS account.
  • To coordinate AZs across accounts, you must use the AZ ID, which is a unique and consistent identifier for an Availability Zone. For example, use1-az1 is an AZ ID for the us-east-1 Region and it has the same location in every AWS account.

References

Written byChinomso Ikwuagwuin the spirit of power, love and a sound mind

AWS Achitect 1 - Architecting for Reliability

Questions and Answers - AWS Certified Cloud Architect Associate

AWS Connectivity - PrivateLink, VPC-Peering, Transit-gateway and Direct-connect

AWS - VPC peering vs PrivateLink

Designing Low Latency Systems

AWS Regions, Availability Zones and Local Zones

AWS VPC Endpoints and VPC Endpoint Services (AWS Private Link)

AWS - IP Addresses

AWS Titbits

AWS Elastic Network Interfaces

Jenkins on AWS - Best practices

Jenkins on AWS - Automation

Jenkins on AWS - Setup

Introduction to CIDR Blocks

AWS Virtual Private Cloud (VPC) Examples

AWS Virtual Private Cloud (VPC)

AWS Lamda - Limitations and Use Cases

AWS Certified Solutions Architect Associate - Part 10 - Services and design scenarios

AWS Certified Solutions Architect Associate - Part 9 - Databases

AWS Certified Solutions Architect Associate - Part - 8 Application deployment

AWS Certified Solutions Architect Associate - Part 7 - Autoscaling and virtual network services

AWS Certified Solutions Architect Associate - Part 6 - Identity and access management

AWS Certified Solutions Architect Associate - Part 5 - Compute services design

AWS Certified Solutions Architect Associate - Part 4 - Virtual Private Cloud

AWS Certified Solutions Architect Associate - Part 3 - Storage services

AWS Certified Solutions Architect Associate - Part 2 - Introduction to Security

AWS Certified Solutions Architect Associate - Part 1 - Key services relating to the Exam

AWS Certifications - Part 1 - Certified solutions architect associate

Notes on Amazon Web Services 8 - Command Line Interface (CLI)

Notes on Amazon Web Services 7 - Elastic Beanstalk

Notes on Amazon Web Services 6 - Developer, Media, Migration, Productivity, IoT and Gaming

Notes on Amazon Web Services 5 - Security, Identity and Compliance

Notes on Amazon Web Services 4 - Analytics and Machine Learning

Notes on Amazon Web Services 3 - Managment Tools, App Integration and Customer Engagement

Notes on Amazon Web Services 2 - Storages databases compute and content delivery

Notes on Amazon Web Services 1 - Introduction

Amazon Web Services - Create IAM User

Preparing Jenkins after Installation

Jenkins titbits, and then some

Installing and running Jenkins in Docker

Introduction to Jenkins

Docker Titbits

How to Add Chat Functionality to a Maven Java Web App