Networking

Private Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint Services

Connect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.

約 3 分で読めます

Overview of PrivateLink

PrivateLink is a service that provides private connectivity from a VPC to AWS services and SaaS applications. Traffic stays within the AWS private network without traversing an internet gateway or NAT Gateway. This enables the use of AWS services even in environments where internet access is prohibited for security requirements.

Types of Endpoints

Interface Endpoints create an ENI (Elastic Network Interface) in a subnet, providing access to AWS services via a private IP address. They incur hourly and data processing charges. Gateway Endpoints are exclusive to S3 and DynamoDB, working by adding a prefix list to the route table. They are free to use, and Gateway Endpoints are recommended for heavy S3 access. Endpoint Policies can restrict access to specific S3 buckets, preventing unintended data exfiltration.

Building Endpoint Services

To expose your own service to other accounts via PrivateLink, place the service behind an NLB or GWLB and create an Endpoint Service. Allowed principals control which accounts or IAM principals can connect, and you can configure manual or automatic approval of connection requests. On the consumer side, an Interface Endpoint is created to access the service via a private DNS name. When a private DNS name is configured, DNS resolution within the consumer's VPC points to the endpoint's ENI, enabling a switch to private connectivity without application code changes. Endpoint Policies restrict access to specific API actions or resources, preventing data exfiltration. For more on VPC Endpoints, see related books on Amazon.

PrivateLink Pricing and Design Guidelines

Interface Endpoints incur hourly charges (approximately $0.01/hour) and data processing charges (approximately $0.01/GB) per AZ. Multi-AZ configurations multiply costs by the number of AZs, so determine the number of AZs based on availability requirements. Gateway Endpoints (S3, DynamoDB) are free and represent the most effective cost optimization for reducing traffic through NAT Gateway. For high data transfer volumes, compare PrivateLink data processing charges with NAT Gateway data processing charges to choose the more cost-efficient option. VPC Endpoint usage can be monitored with CloudWatch metrics, and unused endpoints can be identified and deleted to reduce costs.

Summary

PrivateLink provides private connectivity from VPCs, enabling secure communication without traversing the internet. Gateway Endpoints establish free private connectivity to S3/DynamoDB, while Interface Endpoints provide private access to over 100 AWS services. Endpoint Policies restrict access, and Endpoint Services securely expose your own services to other accounts.

Related Services

AWS PrivateLinkConnect privately from your VPC to AWS services and third-party services without traversing the internetAmazon VPCBuild a logically isolated virtual network on AWSAmazon S3A scalable object storage service

Related Articles

Service Networking with Amazon VPC Lattice - Simplifying Microservice CommunicationSimplify cross-VPC and cross-account microservice communication with L7 service networking that requires no Envoy proxies. Learn about IAM authentication and when to choose VPC Lattice over App Mesh.Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

AWS PrivateLinkA networking feature that enables private connectivity from within a VPC to AWS services and third-party services without traversing the internetAmazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.The Real Reason NAT Gateway Is Expensive - How Data Processing Charges Work and How to Avoid ThemBreak down the mechanisms behind NAT Gateway's high hourly and data processing charges, and explore practical cost-reduction strategies including VPC endpoints, NAT instances, and IPv6 migration.Amazon VPCA service for building a logically isolated virtual network within the AWS cloud, giving you full control over IP address ranges, routing, and security