This article outlines steps to configure on-prem applications using PrivateLink as a SaaS in AWS.
Customers often need to access on-premises applications from their AWS environments, but this can be challenging when there is IP address overlap between the on-premises network and the AWS VPC CIDRs. While the ideal solution would be to renumber the networks, this is not always feasible.
In this article, we'll discuss an alternative approach using AWS PrivateLink to expose on-premises applications as a SaaS service to AWS consumers. For more information on solving IP address overlap problems, you can refer to this blog post.
Before we begin, lets introduce some key concepts:
AWS PrivateLink: A highly available, scalable technology that enables you to privately connect your VPC to services as if they were in your VPC. Traffic from your Service Consumer VPC is sent to an Endpoint Service using an AWS managed hyperplane connection between the VPC Endpoint and the Endpoint Service, without traversing the public internet.
Endpoint Service: A service that a provider creates to make their service available in a Region. The provider must specify a load balancer when creating the Endpoint Service to receive and route requests from service consumers.
Service Name: Each Endpoint Service is identified by a unique service name. Service consumers must specify the name of the service when creating a VPC Endpoint to connect to the service.
Service Consumer: The user of a service, who creates a VPC Endpoint to connect their VPC to the Endpoint Service.
Service Provider: The provider of the service, who creates a VPC Endpoint Service for the Network Load Balancer which has the application servers as its targets.
VPC Endpoint: A network interface created by the service consumer in their VPC to connect to an Endpoint Service. The consumer must specify the service name when creating the VPC Endpoint.
Considerations at the time of updating this article: Updated on Dec 3, 2024
- AWS PrivateLink supports UDP protocol on AWS PrivateLink over IPv4 and IPv6, and on AWS Network Load Balancer (NLB) over IPv6. Please refer to this blog to read more about working with UDP with AWS PrivateLink
- All connections must be initiated from the service consumer to the service provider. TCP connections initiated from the provider to the consumer will be dropped.
- Starting Nov 2024, AWS PrivateLink supports native cross-region connectivity, refer this launch announcement for the supported regions at time of launch
Steps for Service Provider:
- Identify a Unique IP Range: Identify a small range of unique, routable IPv4 addresses from the on-premises CIDR range that can be used for the Service Provider VPC.
- Create the Service Provider VPC: Create a VPC in AWS and assign the CIDR block identified in step 1. Create subnets in multiple Availability Zones for high availability.
- Establish Hybrid Connectivity: Establish connectivity between the on-premises network and the Service Provider VPC using AWS Direct Connect or AWS Site-to-Site VPN. Advertise the on-premises CIDR block to AWS and learn the VPC CIDR on-premises over the established connectivity.
- Test Connectivity: Spin up a temporary instance in the Service Provider VPC to test connectivity to the on-premises servers. Note the round-trip time (RTT), as a baseline for network latency.
- Create a Target Group: Create a Target Group and add the IP addresses of the on-premises application servers as targets.
- Create a Network Load Balancer: Create a Network Load Balancer and use the Target Group created in step 5 to register the targets. Configure the health check to ensure all targets are healthy.
- Create a VPC Endpoint Service: As the Service Provider, create a VPC Endpoint Service using the Network Load Balancer from step 6. Note the unique Service Name. Refer the documentation here to learn more on configuring the endpoint service. After creating the Endpoint Service, you'll need to configure the policies to allow Service Consumers to access your service. Make the service available for the service consumers.
Steps for Service Consumers:
- Configure the Consumer VPC: Set up the VPC where the consumer application will be hosted. This VPC can have overlapping IP addresses with the on-premises network.
- Obtain the VPC Endpoint Service Name: Obtain the unique Service Name created by the Service Provider. By default endpoint service is not available to service consumers. Service Provider must add permissions that allow specific AWS principals to create an interface VPC endpoint to connect to the endpoint service and accept your endpoint.
- Create a VPC Endpoint: As the Service Consumer, create a VPC Endpoint for the service in the consumer VPC, specifying the Service Name. Configure the VPC Interface Endpoint and note the VPC Endpoint FQDN.
- Configure the Consumer Application: Configure the consumer application to access the on-premises application using the VPC Endpoint.
Traffic Flow:
- The consumer application queries the VPC Endpoint URL to access the on-premises application.
- The VPC Endpoint URL is resolved to the IP addresses of the VPC Endpoint network interfaces deployed in the consumer VPC.
- The VPC Endpoint uses AWS PrivateLink to transport the network packets to the corresponding VPC Endpoint Service.
- The VPC Endpoint Service forwards the traffic to the associated Network Load Balancer.
- The Network Load Balancer sends the traffic over the hybrid connection (Direct Connect or VPN) to the on-premises application servers.
This approach allows you to expose on-premises applications as a SaaS service to AWS consumers, without the need to re-number your networks. By using AWS PrivateLink, you can ensure secure and private access to your on-premises resources from the consumer VPCs.
However, it's important to keep in mind the considerations mentioned above, as they may impact the feasibility and design of your solution. If you would like to learn more on this solution get in touch with you AWS contact.