AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner, while keeping all the network traffic within the AWS network. Service users can privately access services powered by PrivateLink from their Amazon Virtual Private Cloud (VPC) or their on-premises, without using public IPs, and without requiring traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services in order to provide their services to other AWS customers.
As a service user, you will need to create interface type VPC endpoints for services that are powered by PrivateLink. These service endpoints will appear as Elastic Network Interfaces (ENIs) with private IPs in your VPCs. Once these endpoints are created, any traffic destined to these IPs will get privately routed to the corresponding AWS services.
As a service owner, you can onboard your service to AWS PrivateLink by establishing a Network Load Balancer (NLB) to front your service and create a PrivateLink service to register with the NLB. Your customers will be able to establish endpoints within their VPC to connect to your service after you whitelisted their accounts and IAM roles.
VPC endpoints enable you to privately connect your VPC to services hosted on AWS without requiring an Internet gateway, a NAT device, VPN, or firewall proxies. Endpoints are horizontally scalable and highly available virtual devices that allow communication between instances in your VPC and AWS services. Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints.
Interface type endpoints provide private connectivity to services powered by PrivateLink. These services may be AWS services, your own services or SaaS solutions. Interface type endpoints also support connectivity over Direct Connect. Please refer to VPC Pricing for the price of interface type endpoints.
Gateway type endpoints are available only for AWS services including S3 and DynamoDB, and cannot enable PrivateLink. These endpoints will add an entry to the route table you select and route the traffic to the supported services through Amazon’s private network.
VPC endpoints provide secure access to a specific service, with several benefits to the end user:
Yes. The application in your premises can connect to the service endpoints in Amazon VPC over AWS Direct Connect. The service endpoints will automatically direct the traffic to AWS services powered by AWS PrivateLink.
You can search for available services using the VPC console or the AWS CLI/SDK. Then you can request access to a service by creating a VPC endpoint and begin using it.
The pricing schedule for PrivateLink has information about charges and billing: https://aws.amazon.com/privatelink/pricing/. If you choose to create an Interface type VPC endpoint in your VPC, you are charged for each hour that your VPC endpoint is provisioned in each Availability Zone. Data processing charges apply for each Gigabyte processed through the VPC endpoint regardless of the traffic’s source or destination. Each partial VPC endpoint-hour consumed is billed as a full hour. If you no longer wish to be charged for a VPC endpoint, delete your VPC endpoints using the AWS Management Console, command line interface (CLI), or API.
Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax.
Learn more
While VPC peering is limited to 125 VPC connections, AWS PrivateLink has virtually unlimited scale. Each VPC endpoint connects an EC2 instance to a specific AWS or AWS-based service. You can add as many endpoints as you need, depending on the number of VPCs and services that you need to connect to. There is no cost to the number of endpoints you are deploying for PrivateLink.
A: You can create up to 100 VPC endpoints per VPC. If you need more than this, contact us and we will work on a solution with you.
You can create a VPC endpoint in your VPC and specify the service you want to use. The VPC endpoint has a DNS name that resolves to local IP addresses in your VPC. When you route traffic to this DNS name, the traffic is routed through the VPC endpoint and to the service.
A: Each VPC endpoint can support 10Gbps continuous bandwidth per Availability Zone by default, after which additional capacity will be added automatically based on your usage. Endpoint scaling is fully-managed to ensure that traffic to your endpoint is not affected.
A: No. A VPC endpoint connects directly to a single service. You can however create new VPC endpoints to connect the EC2 instance to other services and the number of VPC endpoints that you can create is not limited. There is no cost to creating additional VPC endpoints.
If you are using the latest version of AWS CLI/SDK, you do not need to update your code. The CLI/SDK will automatically discover your VPC endpoints and use them by default. If you are using old version CLI/SDKs, you will need to specify the DNS name as the endpoint parameter in the CLI/SDK. If you need to specify the endpoint, you can discover the DNS name by querying the EC2 metadata service.
No, we may support this in future updates but currently only support private endpoint names.
Yes, you can access VPC endpoints over Direct Connect. A VPC endpoint's DNS records are publicly resolvable, but will return the private IP address within the associated VPC.
The security of AWS PrivateLink relies on three factors: the path, the policies, and mode of communication.
The path between a VPC endpoint and an AWS or AWS-based service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches.
When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come from the VPC or the VPC endpoint.
PrivateLink does not provide any encryption by default for data in transit. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to allowlisted customers.
Yes. You can associate security groups with VPC endpoints.
Yes. You can use the AWS Management Console to manage Amazon VPC objects such as VPC endpoints and AWS PrivateLink connections.
Yes. Click here for more information on AWS Support.
Currently, no Amazon CloudWatch metric is available for the interface-based VPC Endpoint.