AWS PrivateLink


AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access services, AWS PrivateLink ensures traffic is not exposed to the public internet.

Lab Schema

Provider's Config #1

1.Prepare Provider service

Deploy 3x EC2 instance, install and enable httpd service on each of them

2.Deploy LB (#1)

Using AWS Console, deploy Network Load balancer

3.Deploy LB (#2)

Select internal as a scheme and VPC where Provider EC2s have been deployed.

4.Deploy LB (#3)

Create new TargetGroup, point Instances as a target type.

5.Deploy LB (#4)

Register all EC2 instances deployed in step #1 as a targets.

6.Configure LB (#1)

Using LoadBalancer Description tab, enable Cross-Zone Load balancing.

7.Configure LB (#2)

Using LoadBalancer Integrated services tab, create Endpoint Service.

8.Create Endpoint Service

Select NLB created in step #2 as an Associate LB, check Require acceptance for endpoint.

9.Endpoint Service Name

Once Endpoint Service is created, record service name.

10.Whitelist principals (#1)

Using LoadBalancer Whitelisted principals tab, allow access toendpoint from Consumer Account.

11.Whitelist principals (#2)

Add Consumer Account ARN to the list.

12.Whitelist principals (#3)

Confirm if Consumer Account ARN has been added correctly.

Consumer's Config #1

13.Create Endpoint (#1)

Using AWS Console, create new Endpoint. Use name recorded in step #9 as a Service Name. Endpoint should be created in Consumer VPC.

14.Create Endpoint (#2)

Endpoint will remain in Pending Acceptance state, until will be accepted by Provider account.

Provider's Config #2

15.Accept Endpoint

Using Endpoint Connections tab, accept previously created endpoint.

16.Endpoint DNS name

Wait until endpoint will be in available state. Record first DNS name

17.Route 53  

Using AWS Console, go to Route 53 service, select Hosted Zones and click Create Hosted Zone.

18.Private Hosted Zone  

Create new hosted zone, enter radkowski.viaprivatelink as domain name, select type as private and associate domain with VPC where Consumer EC2s has been created.

19.Create simple DNS record  

Go to previously created hosted zone, click Define simple record.

20.Create simple DNS record  (#2)

Enter www.provider as a name. It will create www.provider.radkowski.viaprivatelink record. Select Alias to VPC endpoint, region and DNS name recorded in step #16.

Test Area

21.Connect to Provider service

Using dig command check if www.provider.radkowski.viaprivatelink is correctly resolvable. It should return three IP address, each per one Subnet (as it has been configured in step #13).

Use your favourite console browser (for example links) to check if Consumer can get access to Provider resources.