Share your services through AWS PrivateLink - Amazon Virtual Private Cloud

Share your services through AWS PrivateLink

You can host your own AWS PrivateLink powered service, known as an endpoint service, and share it with other AWS customers.

Overview

The following diagram shows how you share your service that's hosted in AWS with other AWS customers, and how those customers connect to your service. As the service provider, you create a Network Load Balancer in your VPC as the service front end. You then select this load balancer when you create the VPC endpoint service configuration. You grant permission to specific AWS principals (AWS accounts, IAM users, or IAM roles) so that they can connect to your service. As a service consumer, the customer creates an interface VPC endpoint, which establishes connections between the subnets that they select from their VPC and your endpoint service. The load balancer receives requests from the service consumer and routes them to the targets hosting your service.


        Service consumers create interface VPC endpoints to connect to the endpoint services
          that are hosted by service providers.

For low latency and fault tolerance, we recommend that you make your service available in all Availability Zones in the Region.

DNS hostnames

When a service provider creates a VPC endpoint service, AWS generates an endpoint-specific DNS hostname for the service. These names have the following syntax:

endpoint_service_id.region.vpce.amazonaws.com

The following is an example of a DNS hostname for a VPC endpoint service in the us-east-2 Region:

vpce-svc-071afff70666e61e0.us-east-2.vpce.amazonaws.com

When a service consumer creates an interface VPC endpoint, we create Regional and zonal DNS names that the service consumer can use to communicate with the endpoint service. Regional names have the following syntax:

endpoint_id.endpoint_service_id.region.vpce.amazonaws.com

Zonal names have the following syntax:

endpoint_id-zone.endpoint_service_id.region.vpce.amazonaws.com

A service provider can also associate a private DNS name for their endpoint service, so that service consumers can continue to access the service using its existing DNS name. If the service provider associated a private DNS name with the endpoint service, the service consumer can enable private DNS names for the interface endpoint. If the service provider doesn't enable private DNS, the service consumer might need to update their application to use the public DNS name for the VPC endpoint service. For more information, see Manage DNS names.

IP address types

Service providers can make their service endpoints available to service consumers over IPv4, IPv6, or both IPv4 and IPv6, even if their backend servers support only IPv4. If you enable dualstack support, existing consumers can continue to use IPv4 to access your service and new consumers can choose to use IPv6 to access your service.

If an interface VPC endpoint supports IPv4, the endpoint network interfaces have IPv4 addresses. If an interface VPC endpoint supports IPv6, the endpoint network interfaces have IPv6 addresses. The IPv6 address for an endpoint network interface is unreachable from the internet. If you describe an endpoint network interface with an IPv6 address, notice that denyAllIgwTraffic is enabled.

Requirements to enable IPv6 for an endpoint service

  • The VPC and subnets for the endpoint service must have associated IPv6 CIDR blocks.

  • All Network Load Balancers for the endpoint service must use the dualstack IP address type. The targets do not need to support IPv6 traffic. If the service processes source IP addresses from the proxy protocol version 2 header, it must process IPv6 addresses.

Requirements to enable IPv6 for an interface endpoint

  • The endpoint service must support IPv6 requests.

  • The IP address type of an interface endpoint must be compatible with the subnets for the interface endpoint, as described here:

    • IPv4 – Assign IPv4 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have IPv4 address ranges.

    • IPv6 – Assign IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets are IPv6 only subnets.

    • Dualstack – Assign both IPv4 and IPv6 addresses to your endpoint network interfaces. This option is supported only if all selected subnets have both IPv4 and IPv6 address ranges.

DNS record IP address type for an interface endpoint

The DNS record IP address type that an interface endpoint supports determines the DNS records that we create. The DNS record IP address type of an interface endpoint must be compatible with the IP address type of the interface endpoint, as described here:

  • IPv4 – Create A records for the private, Regional, and zonal DNS names. The IP address type must be IPv4 or Dualstack.

  • IPv6 – Create AAAA records for the private, Regional, and zonal DNS names. The IP address type must be IPv6 or Dualstack.

  • Dualstack – Create A and AAAA records for the private, Regional, and zonal DNS names. The IP address type must be Dualstack.