AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How do I configure security groups and network ACLs when I create an Amazon VPC interface endpoint for endpoint services?
I want to configure security groups and network access control lists (network ACLs) when I create an Amazon Virtual Private Cloud (Amazon VPC) interface endpoint to connect an endpoint service.
Resolution
When you create an Amazon VPC interface endpoint with an endpoint service, Amazon VPC creates an elastic network interface in the subnet that you specify. The interface endpoint receives the network ACL of the associated subnet. You must also associate a security group with the interface endpoint to control inbound traffic.
When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target. The Network Load Balancer forwards the requests as if an IP address registered the target. In this case, the source IP addresses are the private IP addresses of the load balancer nodes.
If you have access to the Amazon VPC endpoint service, then verify the following configurations:
- The Inbound security group rules of the Network Load Balancer targets allow traffic from the private IP address of the Network Load Balancer nodes. For more information, see Considerations.
- The network ACL rules for the Network Load Balancer targets allow traffic from the private IP address of the Network Load Balancer nodes.
Find the network ACL that's associated with your interface endpoint
Complete the following steps:
- Open the Amazon VPC console.
- Choose Endpoints, and then select your endpoint's ID.
- Choose the Subnets view.
- Select the associated subnets.
- On the Subnets section, note the network ACL that's associated with the subnets.
Find the security group that's associated with your interface endpoint
Complete the following steps:
- Open the Amazon VPC console.
- Choose Endpoints, and then select your endpoint's ID.
- Choose the Security Groups view.
- Note the IDs of the associated security groups.
Update the security group that's associated with your Network Load Balancer
You can control whether AWS PrivateLink traffic is subject to inbound rules. If you turn on inbound rules on PrivateLink traffic, then the source of the traffic is the private IP address of the client, not the endpoint interface.
If you don't want to use inbound rules for traffic that PrivateLink sends to the load balancer, then configure the load balancer. For more information, see Update the security groups for your Network Load Balancer.
Configure the security group that's associated with the interface endpoint
Note: Security groups are stateful. When you define a rule in one direction, you automatically allow traffic in the other direction.
When you configure your inbound rule, enter the same port as your endpoint service for Port Range. For Source, enter the IP address or network of the initiating client.
Note: You don't need to create an outbound rule in the security group that's associated with the interface endpoint.
Repeat these steps for each security group that's associated with your interface endpoint.
Configure the network ACL that's associated with the interface endpoint
Note: Network ACLs are stateless. You must define rules for both outbound and inbound traffic.
Complete the following steps:
- Add rules to your network ACL.
- For the inbound rule, use the following configurations to allow traffic from the client:
For Port Range, enter the same port as your endpoint service.
For Source, enter the client's IP address or network. - For the outbound rule, use the following configurations to allow return traffic from the interface endpoint:
For Port Range, enter 1024-65535.
For Destination, enter the client's IP address or network.
If you specified different network ACLs for each subnet, then repeat the steps for each network ACL that's associated with your interface endpoint.
Note: When you configure the security group of the source client, verify that the outbound rules allow connectivity to the private IP addresses of the interface endpoint. You don't need to verify the inbound rules of the client's security group. For the source client's network ACL, use the following configurations:
- For your inbound rule, enter the ephemeral port range 1024-65535 for Port Range. For Source, enter the interface endpoint's private IP address.
- For your outbound rule, enter the same port as your endpoint service for Port Range. For Destination, enter the interface endpoint's private IP address.
Related information
Why can't I connect to a service when the security group and network ACL allow inbound traffic?
- Etiquetas
- Amazon VPC
- Idioma
- English
Contenido relevante
- preguntada hace 8 meses
- preguntada hace 25 días
- preguntada hace 5 meses
- preguntada hace 6 meses