AWS Privatelink Connection Setup Guide¶
Info
-
You want to access a service in another
AWS accountor third-party that is exposed viaAWS PrivateLink. -
The service provider gives you a Service Name and a Private DNS Name (for example, api.partner.com).
-
For this connection to work, both endpoints need to be in the same
AWS Region, for cross-region please follow this documentation
Obtain Service Information¶
Contact the service provider and request:
- Service Name
- example:
com.amazonaws.vpce.us-east-1.vpce-svc-f9330539c752b7993
- example:
- Service Private DNS Name
- example:
api.partner.com
- example:
Visual connection flow¶
flowchart TD
A["Your VPC resources<br/>(EC2, Lambda, ECS, etc.)"]
B["VPC Endpoint<br/>(Interface Endpoint)"]
C["AWS Private Network"]
D["Service Provider's VPC"]
E["Service<br/>at api.partner.com"]
A --> B
B --> C
C --> D
D --> E
Create a VPC Endpoint¶
- Sign in to
AWSConsole:- Go to the
AWS Management Consoleand log in using yourAWS credentials.
- Go to the
- Navigate to
VPC:- In the top search bar, type
VPCand select theEndpoints.
- In the top search bar, type
- Create a New Enpoint:
- Click the
Create Enpointbutton.
- Click the
- Configure Endpoint Details.
- Service Type:
Select 'PrivateLink Ready partner services'. - Service Name:
Enter the service name provided above. - Verify:
Click Verify to make sure AWS can resolve the service.
- Service Type:
- Specify VPC:
- Select the
VPCwhere your workloads that need to access the service are running.
- Select the
- Select Subnets:
- Choose at least one
subnetperAvailability Zoneyou want the endpoint to be available in.
- Choose at least one
- Set Security Groups:
- Assign a Security Group to the endpoint’s
ENIs.- See section "How to Create a Security Group Restricting Traffic from Your VPC" below for a best practice!
- Assign a Security Group to the endpoint’s
-
Configure Policy (Optional):
- Set the endpoint policy (default is full access).
- You can use this to restrict which
IAM principalsand resources in your account are allowed to use this endpoint.
- You can use this to restrict which
- Set the endpoint policy (default is full access).
-
Enable Private DNS Name
- If the service provider supports Private DNS, enable this option.
- Now, resources in your VPC will transparently access the service at
api.partner.comviaPrivateLink.
- Now, resources in your VPC will transparently access the service at
- If the service provider supports Private DNS, enable this option.
-
Create the Endpoint
- Review and click
Create endpoint.
- Review and click
Endpoint Acceptance¶
Warning
If the endpoint is in Pending acceptance state, let the service provider know, it might need be manually approved.
Testing and Validation¶
Once the endpoint status is Available, you can use it.
-
Test DNS resolution within your VPC (from an EC2 instance, for example):
It should resolve to the private IP address(es) of your VPC endpoint's ENIs.
-
Test service access from inside your VPC:
How to Create a Security Group Restricting Traffic from Your VPC¶
-
To ensure only resources in your VPC can use the endpoint:
- Identify Your
VPC CIDR- In the AWS Console, navigate to
VPC>Your VPCs.
- In the AWS Console, navigate to
- Find your VPC and copy its IPv4 CIDR Block
- example:
10.0.0.0/16.
- example:
- Identify Your
-
Create a New Security Group
- Go to
VPC>Security Groups. - Click
Create Security Group.- Name:
privatelink-endpoint-sg - Description:
Allow from my VPC. - VPC:
Select your VPC
- Name:
- Go to
-
Add Inbound Rule(s)
- Set an inbound rule to allow expected traffic from your VPC only:
Configuration
We will assume here that remote service is running on port 443
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| HTTPS | TCP | 443 | 10.0.0.0/16 | Allow VPC only |
-
Attach Security Group to the Endpoint
- When creating or editing your VPC Endpoint, choose
privatelink-endpoint-sgas the Security Group.
- When creating or editing your VPC Endpoint, choose