Access SaaS products through AWS PrivateLink - Amazon Virtual Private Cloud

Access SaaS products through AWS PrivateLink

Using AWS PrivateLink, you can access SaaS products privately, as if they were running in your own VPC.

Overview

You can discover, purchase, and provision SaaS products powered by AWS PrivateLink through AWS Marketplace. For more information, see AWS Marketplace: - PrivateLink.

You can also find SaaS products powered by AWS PrivateLink from AWS Partners. For more information see AWS PrivateLink Partners.

The following diagram shows how you use VPC endpoints to connect to SaaS products. The service provider creates an endpoint service and grants their customers access to the endpoint service. As the service consumer, you create an interface VPC endpoint, which establishes connections between one or more subnets in your VPC and the endpoint service.


        Service consumers create interface VPC endpoints to connect to the endpoint
          services hosted by service providers.

Create an interface endpoint

Use the following procedure to create an interface VPC endpoint that connects to the SaaS product.

Requirement

Subscribe to the service.

To create an interface endpoint to a partner service

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Endpoints.

  3. Choose Create endpoint.

  4. If you purchased the service from AWS Marketplace, do the following:

    1. For Service category, choose AWS Marketplace services.

    2. Enter the name of the service.

  5. If you subscribed to a service with the AWS Service Ready designation, do the following:

    1. For Service category, choose PrivateLink Ready partner services.

    2. Enter the name of the service and choose Verify service.

  6. For VPC, select the VPC from which you'll access the product.

  7. For Subnets, select one subnet per Availability Zone from which you'll access the product.

  8. For Security group, select the security groups to associate with the endpoint network interfaces. The security group rules must allow traffic between the resources in the VPC and the endpoint network interfaces.

  9. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

  10. Choose Create endpoint.

To configure an interface endpoint

For information about configuring your interface endpoint, see Configure an interface endpoint.

Access the product

Access the product using the private DNS name provided for you.

If the endpoint service supports it, you can add a VPC endpoint policy for your interface endpoint, which controls access to the endpoint service from the VPC through the endpoint. The default policy allows full access. For more information, see VPC endpoint policies.