AWS PrivateLink
A networking feature that enables private connectivity from within a VPC to AWS services and third-party services without traversing the internet
Overview
AWS PrivateLink is a networking technology that enables private access from resources within a VPC to AWS services, your own services, and third-party SaaS services without traversing the internet. When you create a VPC endpoint, an ENI (Elastic Network Interface) with a private IP address is placed within the VPC, and traffic stays entirely within the AWS backbone network. Since data is never exposed to the internet, it is widely adopted by financial institutions and healthcare organizations with strict security requirements.
Interface Endpoints vs. Gateway Endpoints
VPC endpoints come in two types: interface endpoints (PrivateLink) and gateway endpoints. Interface endpoints create an ENI in a specified subnet and assign a private IP address. They support access control via security groups and cover over 100 AWS services (EC2 API, Lambda, Secrets Manager, CloudWatch Logs, STS, etc.). Pricing is based on endpoint uptime (approximately 0.01 USD/hour/AZ) and data processing (approximately 0.01 USD/GB). Gateway endpoints are a special type that supports only S3 and DynamoDB, operating by adding entries to route tables. Since they don't create ENIs, there are no additional charges, making them cost-advantageous for workloads with heavy S3 or DynamoDB access. However, they don't support security group-based control - access control is managed through endpoint policies instead. S3 also supports interface endpoints, which are required when accessing S3 from on-premises via Direct Connect.
Cost Savings as a NAT Gateway Alternative
There are two ways for resources in private subnets to access AWS services: internet access via NAT Gateway, and PrivateLink. NAT Gateway charges 0.045 USD/GB for data processing, and costs escalate rapidly for workloads that exchange large volumes of data with AWS services - for example, Lambda functions sending large amounts of logs to CloudWatch Logs, or EC2 instances reading large datasets from S3. Using gateway endpoints (free) for S3 and DynamoDB, and interface endpoints for other AWS services, can significantly reduce NAT Gateway data processing charges. Interface endpoint data processing costs 0.01 USD/GB - roughly one-quarter of NAT Gateway rates. However, since endpoint uptime charges apply per AZ, creating endpoints for infrequently accessed services can actually increase costs. As a rule of thumb, creating an endpoint is worthwhile for services with monthly data transfer exceeding 100 GB. For a deeper understanding of AWS networking architecture, books on AWS networking (Amazon) are a great resource.
Publishing Services via Endpoint Services
PrivateLink isn't just for accessing AWS services - it also lets you privately publish your own services to other AWS accounts or VPCs. By placing a service behind a Network Load Balancer (NLB) and registering it as an endpoint service, other accounts' VPCs can access it through interface endpoints. Unlike VPC peering or Transit Gateway, there's no need to worry about IP address overlap, and the service provider's and consumer's networks remain completely isolated while communicating. This is used by SaaS providers publishing services to customer VPCs, and by shared platform teams in large enterprises providing microservices to business unit VPCs. When configuring endpoint services, you can choose whether to approve connection requests manually or automatically. For high-security requirements, manual approval is recommended, where you verify the connecting account ID before granting access. Combined with Gateway Load Balancer (GWLB), you can also deliver network appliances like firewalls and IDS/IPS via PrivateLink.