What is AWS PrivateLink?
AWS PrivateLink is a networking feature from Amazon Web Services (AWS) that eases and secures connectivity between AWS Virtual Private Clouds (VPCs) and other services while protecting data from exposure to the internet.
AWS PrivateLink lets AWS customers privately connect their AWS VPC to supported AWS services and solutions as well as their on-premises (on-prem) networks as if these services, solutions and networks were in the VPC. PrivateLink enables communications with those services from the customer's private subnet without the customer needing to use internet gateways, Network Address Translation devices, or public IP addresses.
With PrivateLink, the connection between a VPC and AWS' cloud services can be established without exposing data to the public internet. AWS Partners may host services that PrivateLink supports, and the solutions may be available in AWS Marketplace. In fact, AWS PrivateLink can be used to connect to the following:
- Services sold in the AWS Marketplace.
- Other AWS services.
- Third-party software as a service (SaaS) applications.
- Enterprise applications, which may be hosted in another VPC.
Benefits of AWS PrivateLink
One of the biggest benefits of AWS PrivateLink is that it facilitates private -- therefore, more secure -- connectivity between VPCs, AWS services and on-prem networks. In doing so, it prevents the exposure of an organization's traffic to the security risks lurking on the public internet. For instance, it reduces the risk of brute force attacks and distributed denial-of-service attacks.
PrivateLink also lets users transfer data in a private, secure manner, which can be a critical advantage for critical or sensitive data. By connecting services across different AWS accounts and VPCs, PrivateLink also simplifies enterprise network architectures, which reduces the effort required to maintain and manage it. For example, an enterprise might have many AWS accounts and VPCs. AWS PrivateLink connects services to these many endpoints without needing an administrator to establish firewall rules, internet gateways or VPC peering.
The private connectivity AWS PrivateLink delivers can also benefit customers with hybrid cloud deployments. To realize a secure hybrid infrastructure, businesses can connect on-prem applications and data to AWS-hosted SaaS applications. When exchanging data with the SaaS applications, they can secure their traffic using private IP addresses. In doing this, companies can deliver more secure SaaS services while maintaining compliance with data security or privacy regulations, such as the Health Insurance Portability and Accountability Act, General Data Protection Regulation, and Payment Card Industry Data Security Standard.
PrivateLink can also help companies that want to migrate data to the cloud. Combining PrivateLink with AWS Direct Connect or a VPN can accelerate cloud migrations with a high level of security.
How AWS PrivateLink works
The AWS PrivateLink architecture consists of several important building blocks:
- The organization's on-prem data center.
- AWS Direct Connect or a VPN.
- Interface VPC endpoints.
- AWS PrivateLink itself.
AWS Direct Connect or a VPN are required to allow on-prem resources in the data center to access services on AWS.
The VPC endpoints enable connectivity to AWS services and solutions that integrate with AWS PrivateLink. There can be several VPC endpoints depending on the organization's requirements. One endpoint might connect to an AWS service, for example, and another to an AWS Marketplace partner service. A third might connect private applications to service provider APIs, and a fourth might connect to a service hosted by another AWS account, which is known as a VPC endpoint service. Organizations can create such services and make them available to other AWS customers.
Users can create, access, and manage VPC endpoints in one of three ways: via the web-based AWS Management Console, via the AWS Command Line Interface, or by creating templates in AWS CloudFormation. Additionally, AWS provides software development kits that take care of many connection details so organizations don't have to worry about calculating signatures, handling request retries, or fixing errors as they build or manage VPC endpoints.
How to create and use AWS PrivateLink
AWS customers can create PrivateLink connections via the AWS Management console, which can also be used to access AWS PrivateLink resources.
To use the technology, users must create an interface VPC endpoint to interface with an AWS-hosted or third-party service from the AWS Marketplace, with SaaS applications or with enterprise applications outside the VPC. They must also create a Network Load Balancer for the application in the VPC and then ensure that the VPC endpoint configuration points to that load balancer. Doing so establishes an elastic network interface in the consumer's subnet with a private IP address through which traffic enters to enable access to a service. The consumer and service may or may not be in the same VPC.
For on-premises applications to connect with supported services, PrivateLink integrates with AWS Direct Connect to create a secure and private network. AWS PrivateLink integrates with VPC security groups and AWS identity and access management policies.
AWS has cloud networking services for load balancing, traffic routing, content delivery and more. Learn about which AWS services and features work best.
