News
AWS Launches PrivateLink To Wall Off VPC Traffic
A new Amazon Web Services (AWS) offering ensures that its Virtual Private Cloud (VPC) users can connect safely to other AWS services without going through the public Internet.
Launched earlier this month, PrivateLink provides direct secure connections from VPCs to other AWS services. It's similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users' on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users' VPC environments, which are already in AWS.
In a blog post, AWS Senior Engineer Colm MacCárthaigh described PrivateLink as "the newest generation" of the existing VPC Endpoints service. As its name suggests, a regular VPC Endpoint connection establishes a link from a user's VPC to another AWS service by creating an endpoint that's outside the original VPC. But with PrivateLink, the new endpoint is created inside the user's VPC, MacCárthaigh explained.
Architecture of AWS PrivateLink. (Source: AWS)
"With traditional endpoints, it's very much like connecting a virtual cable between your VPC and the AWS service. Connectivity to the AWS service does not require an Internet or NAT gateway, but the endpoint remains outside of your VPC," he wrote. "With PrivateLink, endpoints are instead created directly inside of your VPC, using Elastic Network Interfaces (ENIs) and IP addresses in your VPC's subnets. The service is now in your VPC, enabling connectivity to AWS services via private IP addresses. That means that VPC Security Groups can be used to manage access to the endpoints and that PrivateLink endpoints can also be accessed from your premises via AWS Direct Connect."
PrivateLink is now available for all non-government AWS regions except for Beijing. Currently, PrivateLink can connect to just five AWS services: EC2, EC2 Systems Manager, Elastic Load Balancing, Kinesis and Service Catalog. However, AWS does plan to expand that list to include other solutions, including CloudWatch and Key Management Service, MacCárthaigh said.