Is connecting over the internet a concern? Enter, PrivateLink
For organisations that are ultra concerned about keeping their services private, especially Financial Services, one of the bug bears of using the AWS public Cloud environment is can be that all the AWS services need to be accessed over the Internet using public addressing. Not any more. Terry Wise of AWS has just announced PrivateLink at re:Invent (see the what’s new article) . It’s a new service that exposes a range of AWS services so that they can be accessed without going via the Internet. PrivateLink supports not only AWS services but customer and partner delivered services too.
This means that customers can now access AWS and partner hosted services via a private endpoint within their VPC. Cleverly, the service is exposed as a network interface with a private IP address. This differs from the existing VPC Endpoints, S3 and DynamoDB. The existing endpoints do not exist inside your VPC but are routed via the AWS network – it’s like a virtual cross connect.
An example VPC Endpoint Diagram with AWS PrivateLink
PrivateLink means no more NAT gateways and firewall proxies
Since the PrivateLink is actually inside your VPC, routing can be configured to the endpoint and a Security Groups associated with it. PrivateLink removes the need to whitelist public IPs or enable Internet connectivity using an Internet Gateway. No more NAT gateways and firewall proxies. In fact, if your services have no need to access the Internet, you don’t need to associate a Internet Gateway to your VPC at all (or associate an Egress Internet Gateway to allow outbound connectivity if required). If you are using Route 53 for your DNS (and you should), then a DNS entry will be created for the service to override the public DNS for the service, making the transition seamless and transparent to consumers of the service. No application changes required. A round of applause, AWS!
The following AWS services will initially be available via PrivateLink with more being added in the next few months: Amazon EC2, Elastic Load Balancing (ELB), Kinesis Streams, Service Catalog and EC2 Systems Manager. Partner services will be rolled out over the coming months. This is particularly important to SaaS based technology partners and their customers. Now you will be able to connect to your providers using a private network instead of the Internet, simplifying and securing your network configuration.
We are excited about the prospect and opportunity for PrivateLink. It seems so simply but as the service coverage expands, it promises to be a beautiful little feature. It’s another great example of how the AWS platform continues to evolve and improve.
Note that the initial version of Privatelink was announced shortly before re:Invent and this was enhanced with additional announcements today. Here’s the pre re:Invent AWS announcement from the 8th of November.