SlideShare a Scribd company logo

AWS PrivateLink - Deep Dive

Download as PPTX, PDF
E
Enri Peters

AWS PrivateLink allows services running within AWS to connect to other services privately without an internet gateway, VPC peering, or EIPs. It creates private connectivity using interface or gateway endpoints within VPCs. Interface endpoints function like a network interface and support security groups, while gateway endpoints add routes to route tables. PrivateLink eliminates public access and simplifies networking management compared to traditional architectures using internet gateways or VPC peering.

Related slideshows

The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - BusinessThe Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
The Fundamentals of Networking in AWS: VPC and Connectivity Options - Business
 
Deep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep DiveDeep dive ECS & Fargate Deep Dive
Deep dive ECS & Fargate Deep Dive
 
Deep Dive Amazon EC2
Deep Dive Amazon EC2Deep Dive Amazon EC2
Deep Dive Amazon EC2
 
1 of 36
AWS PrivateLink Deep Dive
aws sts get-caller-identity • Enri Peters • Zutphen • 30 • 3 girls • 1 dog (a boy 🎉) • Study • Horror • Gaming (lately Zelda botw) • Working for SBP since 2019 • Jumbo -> PostNL team
What is AWS PrivateLink? • Tech stack (8 nov. 2017) • Kinesis/EC2/SSM + • AWS PrivateLink makes it easy to connect services across different AWS accounts • W/O exposing data to the public internet
Prior to PrivateLink, services in an Amazon VPC were Connected through public IP addresses using an internet gateway or by private IP addresses using VPC peering
With AWS PrivateLink Service connectivity can be established from the service provider’s VPC to the service consumer’s VPCs
AWS PrivateLink does this • VPC peering connections • Transit VPC
What is AWS PrivateLink? • Customers can securely access services on AWS while staying on Amazon’s private network • Exist of mainly 2 things • Endpoint services • Your own application/service in your VPC • VPC endpoints • Interface endpoints • Gateway endpoints • GWLB endpoints Service provider Service consumer
Powered by • AWS Hyperplane (internal AWS service) • Amazon EFS • AWS Managed NAT • AWS Network Load Balancer • AWS PrivateLink • Mapping service for ENI’s • State tracking • Routing • Runs on EC2 (in-memory) • Keeps state for months/years (EFS)
PrivateLink main benefits Private • IP addresses • Security groups • Does not traverse the internet Simplify • Network management • Removes need for • IP whitelisting • IGW/NAT • Firewalls Facilitate • Your Cloud Migration • On-premises -> Direct Connect -> AWS services
PrivateLink use cases Securely • Access SAAS applications • You are the connection initiator Maintain • Regulatory compliance • Restrict/No internet access Migrate • To hybrid cloud • Direct Connect Shared • Services • W/O Peering
What are VPC Endpoints? • Virtual devices • Service provider • AWS • Marketplace • Your own service associated with NLB • Service consumer • Interface endpoints • Gateway endpoints • GWLB endpoints
Endpoint services • Existing AWS endpoints • Custom endpoints • Your own application • Marketplace • Can be connected to through an interface endpoint • (Auto) Allow/Deny
VPC Interface endpoints • Enable connectivity to services over AWS PrivateLink • Supports • IPv4 / TCP only • Direct Connect • Site-to-Site VPN • VPC Peering • Include • AWS managed services • Marketplace services • Endpoint services (Your own App) • (Hyperplane) ENI’s in subnet (Not HA by default)
VPC Interface endpoints • Security group • inbound 443 (for AWS) • outbound empty (Hyperplane magic) • Private DNS (optionally) • The owner of a service is a service provider • The principal creating the interface endpoint and using that service is a service consumer
VPC Interface endpoints • Endpoint policy (default allow) • Running cost = $8,- p/m • Data transfer cost (GB/month) • First 1PB = $0.01 • Next 4PB = $0.006 • Anything over 5 PB = $0.004 • S3 support • Can use in shared subnet (RAM) • But..
W/O Interface endpoints
With Interface endpoints & PrivateDNS
Interface endpoint policies
Availabilty Zone IDs AWS maps the physical Availability Zones randomly to the available zone names for each AWS account.
Availabilty Zone IDs AWS maps the physical Availability Zones randomly to the available zone names for each AWS account.
VPC Gateway endpoints • Adds specific IP routes (prefix-list) in a route table • Traffic flows via GW endpoint • S3 / DynamoDB • Free • HA in region • Regional • Can’t access other regions buckets
VPC Gateway endpoints • Prevent leaky buckets by using endpoint policies • AWS managed prefix list • Route tables • Security groups • No need for public IP addressing (IGW) • Gateway endpoints do not enable AWS PrivateLink
W/O Gateway endpoints
With Gateway endpoints
Gateway endpoint policies
VPC Gateway Load Balancer endpoints • Helps run and scale 3rd party appliances • GWLB Endpoints • Like a interface endpoint but can be added to a (ingress) route table as next hop • GWLB • Balances across backend appliances • Geneve (tunnelling protocol) • Unaltered packets
VPC Gateway Load Balancer endpoints • For things like… • Firewall • Intrusion detection • Prevention systems • Horizontal scaling • Security groups are not supported. • Endpoint policies are not supported.
Gateway endpoints vs. Interface endpoints • Gateway endpoints • S3 • DynamoDB • Interface endpoints • Most common services • Around 160 services • https://docs.aws.amazon.com/vpc /latest/privatelink/integrated- services-vpce-list.html
Gateway endpoint vs Interface endpoint • Prefix list (logical representation) added to route table • Does not sit inside a subnet • Magic happens at VPC router level • No security groups, because no ENI’s
Gateway endpoint vs Interface endpoint • Sits inside subnet (put 1 in each AZ for HA) • Attached to a security group • Endpoint specific DNS name • Regional • Zonal • Resolves to private IP address of the endpoint ENI • PrivateDNS = associate a private R53 hosted zone with your VPC • Overwrites the default DNS for the service • Can be used outside of VPC (Direct Connect etc.) vpce-0fe5b17a0707d6abc-29p5708s.ec2.us-east-1.vpce.amazonaws.com vpce-0fe5b17a0707d6abc-29p5708s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com
Cost overview
VPC Interface endpoint costs example • 1 VPC endpoints x 3 ENIs per VPC endpoint x 730 hours in a month x 0.011 USD = 24.09 USD (Hourly cost for endpoint ENI) • Tiered price for: 10000 GB • 10000 GB x 0.0100000000 USD = 100.00 USD • Total tier cost = 100.0000 USD (PrivateLink data processing cost) • 24.09 USD + 100 USD = 124.09 USD (Total PrivateLink Cost) • Total PrivateLink endpoints and data processing cost (monthly): 124.09 USD
NAT Gateway costs example • 730 hours in a month x 0.048 USD = 35.04 USD (Gateway usage hourly cost) • 10,000 GB per month x 0.048 USD = 480.00 USD (NAT Gateway data processing cost) • 35.04 USD + 480.00 USD = 515.04 USD (NAT Gateway processing and month hours) • 3 NAT Gateways x 515.04 USD = 1,545.12 USD (Total NAT Gateway usage and data processing cost) • Total NAT Gateway usage and data processing cost (monthly): 1,545.12 USD
Limitations • You cannot create an endpoint between a VPC and a service in a different Region • API Gateway interface endpoint with PrivateDNS enabled • Breakes public API gateways access • ECR pull through cache • First time pull • AZ mapping • Supports only IPV4 TCP traffic • Check service specific PrivateLink docs
Limitations • Downtimes while creating them • +- 5 seconds for Gateway endpoint (also creation) • For CloudWatch Logs the average time was approximately 54 seconds with a minimum of 15 seconds and a maximum of 169 seconds (2m 49s). • For SNS the average was around 44 seconds with a minimum of 14 seconds and a maximum of 172 seconds (2m 51s). • For SQS the average was around 30 seconds with a minimum of 13 seconds and a maximum of 56 seconds. • Trick DNS to prevent this downtime
End Thank you!

More Related Content

AWS PrivateLink - Deep Dive

  • 2. aws sts get-caller-identity • Enri Peters • Zutphen • 30 • 3 girls • 1 dog (a boy 🎉) • Study • Horror • Gaming (lately Zelda botw) • Working for SBP since 2019 • Jumbo -> PostNL team
  • 3. What is AWS PrivateLink? • Tech stack (8 nov. 2017) • Kinesis/EC2/SSM + • AWS PrivateLink makes it easy to connect services across different AWS accounts • W/O exposing data to the public internet
  • 4. Prior to PrivateLink, services in an Amazon VPC were Connected through public IP addresses using an internet gateway or by private IP addresses using VPC peering
  • 5. With AWS PrivateLink Service connectivity can be established from the service provider’s VPC to the service consumer’s VPCs
  • 6. AWS PrivateLink does this • VPC peering connections • Transit VPC
  • 7. What is AWS PrivateLink? • Customers can securely access services on AWS while staying on Amazon’s private network • Exist of mainly 2 things • Endpoint services • Your own application/service in your VPC • VPC endpoints • Interface endpoints • Gateway endpoints • GWLB endpoints Service provider Service consumer
  • 8. Powered by • AWS Hyperplane (internal AWS service) • Amazon EFS • AWS Managed NAT • AWS Network Load Balancer • AWS PrivateLink • Mapping service for ENI’s • State tracking • Routing • Runs on EC2 (in-memory) • Keeps state for months/years (EFS)
  • 9. PrivateLink main benefits Private • IP addresses • Security groups • Does not traverse the internet Simplify • Network management • Removes need for • IP whitelisting • IGW/NAT • Firewalls Facilitate • Your Cloud Migration • On-premises -> Direct Connect -> AWS services
  • 10. PrivateLink use cases Securely • Access SAAS applications • You are the connection initiator Maintain • Regulatory compliance • Restrict/No internet access Migrate • To hybrid cloud • Direct Connect Shared • Services • W/O Peering
  • 11. What are VPC Endpoints? • Virtual devices • Service provider • AWS • Marketplace • Your own service associated with NLB • Service consumer • Interface endpoints • Gateway endpoints • GWLB endpoints
  • 12. Endpoint services • Existing AWS endpoints • Custom endpoints • Your own application • Marketplace • Can be connected to through an interface endpoint • (Auto) Allow/Deny
  • 13. VPC Interface endpoints • Enable connectivity to services over AWS PrivateLink • Supports • IPv4 / TCP only • Direct Connect • Site-to-Site VPN • VPC Peering • Include • AWS managed services • Marketplace services • Endpoint services (Your own App) • (Hyperplane) ENI’s in subnet (Not HA by default)
  • 14. VPC Interface endpoints • Security group • inbound 443 (for AWS) • outbound empty (Hyperplane magic) • Private DNS (optionally) • The owner of a service is a service provider • The principal creating the interface endpoint and using that service is a service consumer
  • 15. VPC Interface endpoints • Endpoint policy (default allow) • Running cost = $8,- p/m • Data transfer cost (GB/month) • First 1PB = $0.01 • Next 4PB = $0.006 • Anything over 5 PB = $0.004 • S3 support • Can use in shared subnet (RAM) • But..
  • 17. With Interface endpoints & PrivateDNS
  • 19. Availabilty Zone IDs AWS maps the physical Availability Zones randomly to the available zone names for each AWS account.
  • 20. Availabilty Zone IDs AWS maps the physical Availability Zones randomly to the available zone names for each AWS account.
  • 21. VPC Gateway endpoints • Adds specific IP routes (prefix-list) in a route table • Traffic flows via GW endpoint • S3 / DynamoDB • Free • HA in region • Regional • Can’t access other regions buckets
  • 22. VPC Gateway endpoints • Prevent leaky buckets by using endpoint policies • AWS managed prefix list • Route tables • Security groups • No need for public IP addressing (IGW) • Gateway endpoints do not enable AWS PrivateLink
  • 26. VPC Gateway Load Balancer endpoints • Helps run and scale 3rd party appliances • GWLB Endpoints • Like a interface endpoint but can be added to a (ingress) route table as next hop • GWLB • Balances across backend appliances • Geneve (tunnelling protocol) • Unaltered packets
  • 27. VPC Gateway Load Balancer endpoints • For things like… • Firewall • Intrusion detection • Prevention systems • Horizontal scaling • Security groups are not supported. • Endpoint policies are not supported.
  • 28. Gateway endpoints vs. Interface endpoints • Gateway endpoints • S3 • DynamoDB • Interface endpoints • Most common services • Around 160 services • https://docs.aws.amazon.com/vpc /latest/privatelink/integrated- services-vpce-list.html
  • 29. Gateway endpoint vs Interface endpoint • Prefix list (logical representation) added to route table • Does not sit inside a subnet • Magic happens at VPC router level • No security groups, because no ENI’s
  • 30. Gateway endpoint vs Interface endpoint • Sits inside subnet (put 1 in each AZ for HA) • Attached to a security group • Endpoint specific DNS name • Regional • Zonal • Resolves to private IP address of the endpoint ENI • PrivateDNS = associate a private R53 hosted zone with your VPC • Overwrites the default DNS for the service • Can be used outside of VPC (Direct Connect etc.) vpce-0fe5b17a0707d6abc-29p5708s.ec2.us-east-1.vpce.amazonaws.com vpce-0fe5b17a0707d6abc-29p5708s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com
  • 32. VPC Interface endpoint costs example • 1 VPC endpoints x 3 ENIs per VPC endpoint x 730 hours in a month x 0.011 USD = 24.09 USD (Hourly cost for endpoint ENI) • Tiered price for: 10000 GB • 10000 GB x 0.0100000000 USD = 100.00 USD • Total tier cost = 100.0000 USD (PrivateLink data processing cost) • 24.09 USD + 100 USD = 124.09 USD (Total PrivateLink Cost) • Total PrivateLink endpoints and data processing cost (monthly): 124.09 USD
  • 33. NAT Gateway costs example • 730 hours in a month x 0.048 USD = 35.04 USD (Gateway usage hourly cost) • 10,000 GB per month x 0.048 USD = 480.00 USD (NAT Gateway data processing cost) • 35.04 USD + 480.00 USD = 515.04 USD (NAT Gateway processing and month hours) • 3 NAT Gateways x 515.04 USD = 1,545.12 USD (Total NAT Gateway usage and data processing cost) • Total NAT Gateway usage and data processing cost (monthly): 1,545.12 USD
  • 34. Limitations • You cannot create an endpoint between a VPC and a service in a different Region • API Gateway interface endpoint with PrivateDNS enabled • Breakes public API gateways access • ECR pull through cache • First time pull • AZ mapping • Supports only IPV4 TCP traffic • Check service specific PrivateLink docs
  • 35. Limitations • Downtimes while creating them • +- 5 seconds for Gateway endpoint (also creation) • For CloudWatch Logs the average time was approximately 54 seconds with a minimum of 15 seconds and a maximum of 169 seconds (2m 49s). • For SNS the average was around 44 seconds with a minimum of 14 seconds and a maximum of 172 seconds (2m 51s). • For SQS the average was around 30 seconds with a minimum of 13 seconds and a maximum of 56 seconds. • Trick DNS to prevent this downtime

Editor's Notes

  1. Build / Access private services w/o internet exposure Share with other VPC’s You can do that without sharing network IP’s, whitelisting IP’s, configuring firewalls or even allowing any internet access at all. Easy
  2. Enable connectivity to services over AWS PrivateLink
  3. Enable connectivity to services over AWS PrivateLink
  4. Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling your virtual appliances with the demand.
  5. Gateway Load Balancers enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It combines a transparent network gateway (that is, a single entry and exit point for all traffic) and distributes traffic while scaling your virtual appliances with the demand.