From a securty perspective, what benefit we can get from the PrivateLink?

0

When using public IP addresses, all communication between instances and services hosted in AWS use AWS's private network. Packets that originate from the AWS network with a destination on the AWS network stay on the AWS global network, except traffic to or from AWS China Regions.

So, Suppose accessing an AWS service, for example, Cloudwatch, from a security perspective, what benefit we can get from the PrivateLink instead of the Internet gateway + NAT gateway?

asked 6 months ago175 views
2 Answers
0

Hi,

VPC Endpoints and PrivatLink is two different concepts.

VPC Endpoints you can use to access AWS services without leaving VPC. Here is some docs.

PrivatLinks you can use to provide access to your internal VPC services (your app for example) to the external AWS consumers (different VPC/account)

From here:

Q: How secure is an AWS PrivateLink connection?

A: The security of AWS PrivateLink relies on three factors: the path, the policies, and mode of communication.

The path between a VPC endpoint and an AWS or AWS-based service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches.

When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come from the VPC or the VPC endpoint.

PrivateLink does not provide any encryption by default for data in transit. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to allowlisted customers.

profile picture
EXPERT
answered 6 months ago
  • -- "The path between a VPC endpoint and an AWS or AWS-based service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches."

    If no VPC endpoint: With the Nat gateway and Internet gateway, the traffic between the VPC and the AWS service still stays in the AWS network, there is no traffic outside of the AWS network.

    -- When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come from the VPC or the VPC endpoint.

    If no VPC endpoint: By creating a separate IAM role associated with AWS service permission, we might restrict access to requests to the AWS Service as well.

0

I'm going to disagree slightly with the other answer here: PrivateLink is closely related to AWS service VPC Interface endpoints - the difference is that it is AWS offering the endpoint rather than you creating your own endpoint service and offering it to other VPCs and accounts.

There are a few advantages of using a VPC endpoint for an AWS service instead of using an Internet Gateway (and NAT Gateway if required):

  • The service endpoint only allows access to that service. Having an Internet Gateway in your VPC means that workloads could access other publicly hosted endpoints and services - which can be on AWS or on the rest of the internet. So using the endpoint means that you don't have to try and filter that traffic if you needed to restrict access.
  • You can apply endpoint policies to the endpoint which gives you greater control over what your workloads can do with that service.
profile pictureAWS
EXPERT
answered 5 months ago
  • This is a good point. Having a private subnet without internet access, it might be more clear to take a VPC interface endpoint for the AWS services access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions