Access AWS services through AWS PrivateLink - Amazon Virtual Private Cloud

Access AWS services through AWS PrivateLink

You access an AWS service using an endpoint. The default service endpoints are public interfaces, so you must add an internet gateway to your VPC so that traffic can get from the VPC to the AWS service. If this configuration doesn't work with your network security requirements, you can use AWS PrivateLink to connect your VPC to AWS services as if they were in your VPC, without the use of an internet gateway.

You can privately access the AWS services that integrate with AWS PrivateLink using VPC endpoints. You can build and manage all layers of your application stack without using an internet gateway.

Overview

You can access AWS services through their public service endpoints or connect to supported AWS services using AWS PrivateLink. This overview compares these methods.

Access through public service endpoints

The following diagram shows how instances access AWS services through the public service endpoints. Traffic to an AWS service from an instance in a public subnet is routed to the internet gateway for the VPC and then to the AWS service. Traffic to an AWS service from an instance in a private subnet is routed to a NAT gateway, then to the internet gateway for the VPC, and then to the AWS service. While this traffic traverses the internet gateway, it does not leave the AWS network.


        By default, traffic from your VPC to an AWS service is routed through an internet
          gateway, but does not leave the AWS network.

Connect through AWS PrivateLink

The following diagram shows how instances access AWS services through AWS PrivateLink. First, you create an interface VPC endpoint, which establishes connections between the subnets in your VPC and an AWS service using network interfaces. Traffic destined for the AWS service is resolved to the private IP addresses of the endpoint network interfaces using DNS, and then sent to the AWS service using the connection between the VPC endpoint and the AWS service.


        With AWS PrivateLink, traffic from your VPC to an AWS service uses the connections
          between the subnets and the AWS service provided by the interface VPC endpoint.

DNS hostnames

Most AWS services offer public Regional endpoints, whose URLs have the following syntax.

protocol://service_code.region_code.amazonaws.com

For example, the public endpoint for Amazon CloudWatch in us-east-2 is as follows.

https://monitoring.us-east-2.amazonaws.com

With AWS PrivateLink, you send traffic to the service using private endpoints. When you create an interface VPC endpoint, we create Regional and zonal DNS names that you can use to communicate with the AWS service from your VPC. The Regional DNS name for your interface VPC endpoint has the following syntax:

endpoint_id-service_id.region.vpce.amazonaws.com

The zonal DNS names have the following syntax:

endpoint_id-az_name.service_id.region.vpce.amazonaws.com

If you enable both DNS hostnames and DNS resolution for your VPC, we create a hidden private hosted zone. The hosted zone contains a record set for the default DNS name for the service that resolves it to the private IP addresses of the endpoint network interfaces in your VPC. Therefore, if you have existing applications that send requests to the AWS service using a public Regional endpoint, those requests now go through the endpoint network interfaces without requiring any changes to those applications.

The DNS records that we create for your interface VPC endpoint are public. Therefore, these DNS names are publicly resolvable. However, DNS requests from outside the VPC still return the private IP addresses of the endpoint network interfaces, so these IP addresses can't be used to access the endpoint service unless you have access to the VPC.

The following describe-vpc-endpoints command displays the DNS entries for an interface endpoint.

aws ec2 describe-vpc-endpoints --vpc-endpoint-id vpce-099deb00b40f00e22 --query VpcEndpoints[*].DnsEntries

The following is example output for an interface endpoint for Amazon CloudWatch with private DNS names enabled. The first entry is the private Regional endpoint. The next three entries are the private zonal endpoints. The final entry is from the hidden private hosted zone, which resolves requests to the public endpoint to the private IP addresses of the endpoint network interfaces.

[ [ { "DnsName": "vpce-099deb00b40f00e22-lj2wisx3.monitoring.us-east-2.vpce.amazonaws.com", "HostedZoneId": "ZC8PG0KIFKBRI" }, { "DnsName": "vpce-099deb00b40f00e22-lj2wisx3-us-east-2c.monitoring.us-east-2.vpce.amazonaws.com", "HostedZoneId": "ZC8PG0KIFKBRI" }, { "DnsName": "vpce-099deb00b40f00e22-lj2wisx3-us-east-2a.monitoring.us-east-2.vpce.amazonaws.com", "HostedZoneId": "ZC8PG0KIFKBRI" }, { "DnsName": "vpce-099deb00b40f00e22-lj2wisx3-us-east-2b.monitoring.us-east-2.vpce.amazonaws.com", "HostedZoneId": "ZC8PG0KIFKBRI" }, { "DnsName": "monitoring.us-east-2.amazonaws.com", "HostedZoneId": "Z06320943MMOWYG6MAVL9" } ] ]