- Newest
- Most votes
- Most comments
A common misconception is that using a public IP address means you are using the internet. Yes, you might be; but there are large networks (such as AWS) that use public IP addressing.
If you are using public IP addresses to communicate between AWS services then the traffic stays on the AWS network. This is called out in the VPC FAQ:
Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?
No. When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.
What's not 100% clear from your question is where (in terms of IP addressing and network location) the client is. It's strongly implied that they are within AWS as well - and in that case (even if the client has a public/Elastic IP address) the traffic stays on the AWS network.
Your question is also about whether a callback can be initiated to an EC2 instance with a private IP address and the answer to that is generally no - you will need some other service (such as a load balancer or even something like Global Accelerator) to provide that "external" to "internal" traffic transfer.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 3 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
Hi Brettski,
Sorry if I was unclear. In my scenario, the client is not within the AWS service and connecting with the websocket api through the public internet. Here's the relevant timestamp in the video: https://youtu.be/4pG07Wgw2cE?feature=shared&t=257
This is a video from AWS support where exhibit the call back from lamda to websocket api gateay. Is traffic from Lambda to the WebSocket API Gateway (callback to the web-socket api gateway) being routed through the AWS private link?
If that's the case, what's the purpose of VPC endpoints then? For private API Gateway endpoints, it's possible to attach a VPC endpoint and access those endpoints from private instances within the VPC. I was looking for a similar functionality with WebSocket APIs.
"Is the Lambda callback being routed through PrivateLink" - the video is inconclusive. The Lambda function could be using public IP addressing and exist outside a VPC and call the API Gateway service. Or it could be hosted within a VPC and calling the API Gateway private endpoint. Either would work. By WebSocket APIs do you mean HTTP API Gateway? If so, today they do not have a private endpoint.
Hi Brettski, I was referring to Websocket API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-overview.html A vpc end-point cannot be attached to a Websocket API. The lamda sends data back to the web-socket API through the callback url. example url. POST https://{api-id}.execute-api.us-east-1.amazonaws.com/{stage}/@connections/{connection_id}. When I checked the vpc flow logs these traffic has a public ip address. I wanted to make sure whether this traffic is routed through the public internet or AWS Network? If it leaves the AWS network, is there a way to keep that traffic within the AWS network.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-websocket-api-data-from-backend.html
Given that it is an AWS service: Even though it uses a public IP address the traffic between that and other hosts that are also on AWS stay on the AWS network even if using public IP addresses. I feel that I'm not really answering your question because in order to fully answer the question "does the traffic stay on the AWS network" you need to consider both endpoints (the source and the destination).