1 Answer
- Newest
- Most votes
- Most comments
1
As you have mentioned, AWS PrivateLink is one of the options for your scenario
To use AWS PrivateLink, create a Network Load Balancer for your application in your VPC/Account B, and create a VPC endpoint service configuration pointing to that load balancer. A service consumer then creates an interface endpoint to your service. This creates an elastic network interface (ENI) in your subnet with a private IP address that serves as an entry point for traffic destined to the service. The consumer and service are not required to be in the same VPC/Account A.
Refer to
https://aws.amazon.com/blogs/compute/architecture-patterns-for-consuming-private-apis-cross-account/
answered 9 months ago
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- How do I use an interface VPC endpoint to access an API Gateway private REST API in another account?AWS OFFICIALUpdated 6 months ago
I don't think you read my question. It's from a public API Gateway to an existing private NLB in another account.
I posted the generic architecture patterns for AWS PrivateLink which also included patterns for Public API Gateway accessing Private Endpoint in another account. In terms your attempted solution, since the exposing service is Internal NLB, consuming account has to have either ALB or NLB within VPC. As you might know already, a major benefit of this approach is that network traffic stays within the Amazon network and does not traverse the public internet. This reduces attack vectors and improves the security posture.