AWS PrivateLink and VPC endpoints - Amazon Virtual Private Cloud

AWS PrivateLink and VPC endpoints

AWS PrivateLink is a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service. Traffic between your VPC and the service does not leave the Amazon network and is not exposed to the public internet.

You can create your own VPC endpoint service, powered by AWS PrivateLink, and enable other AWS customers to access your service.

VPC endpoints concepts

The following are the key concepts for VPC endpoints:

  • VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. The following are the different types of VPC endpoints. You create the type of VPC endpoint required by the supported service.

  • Endpoint service — Your own application or service in your VPC. Other AWS principals can create an endpoint from their VPC to your endpoint service.

To use AWS PrivateLink, create a VPC endpoint for a service in your VPC. You create the type of VPC endpoint required by the supported service. This creates an elastic network interface in your subnet with a private IP address that serves as an entry point for traffic destined to the service. The following diagram shows the basic architecture to securely connect your VPC to an AWS service that supports AWS PrivateLink.


				Using an interface endpoint to access an AWS service

Work with VPC endpoints

You can create, access, and manage VPC endpoints using any of the following:

  • AWS Management Console — Provides a web interface that you can use to access your VPC endpoints.

  • AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Amazon VPC. The AWS CLI is supported on Windows, macOS, and Linux. For more information, see AWS Command Line Interface.

  • AWS SDKs — Provide language-specific APIs. The SDKs take care of many of the connection details, such as calculating signatures, handling request retries, and handling errors. For more information, see AWS SDKs.

  • Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC. However, it requires that your application handle low-level details such as generating the hash to sign the request and handling errors. For more information, see the Amazon EC2 API Reference.

Example endpoint configurations

For information about AWS PrivateLink and VPC peering examples, see Examples: Services using AWS PrivateLink and VPC peering in the Amazon VPC User Guide.

Pricing for endpoints

For information about endpoint pricing, see AWS PrivateLink Pricing.