VPC endpoint and VPC endpoint services

·

4 min read

The Consumer VPC is the one that needs to access the services provided by the Provider VPC. This VPC "consumes" the services.

VPC Endpoint: This endpoint connects to the VPC Endpoint Service in the Provider VPC, facilitating private communication between the VPCs.

The Provider VPC hosts the service or application that you want to make accessible to other VPCs. This VPC effectively "provides" the services.

VPC Endpoint Service: This service uses AWS PrivateLink to expose the internal service through the NLB, allowing other VPCs to connect to it privately and securely.

A VPC Endpoint Service, also known as PrivateLink, allows you to expose your application running in your VPC to other VPCs securely without exposing it to the public internet.

A VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC Endpoint Services powered by AWS PrivateLink, without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Provider VPC

  • VPC Endpoint Service:

    • You create a VPC Endpoint Service to expose your application securely.

    • This service uses AWS PrivateLink.

    • AWS PrivateLink leverages a Network Load Balancer (NLB) to route traffic to your application instances.

Consumer VPC

  • VPC Endpoint:

    • In another VPC (the consumer VPC), you create a VPC Endpoint.

    • This VPC Endpoint connects to the VPC Endpoint Service in the Provider VPC.

Detailed Explanation

  1. Provider VPC Setup:

    • Network Load Balancer (NLB):

      • You set up an NLB in the Provider VPC.

      • The NLB routes incoming traffic to your application instances (usually in a private subnet).

    • VPC Endpoint Service:

      • You create a VPC Endpoint Service that points to the NLB.

      • The service can be configured to accept or deny connection requests from consumer VPCs.

  2. Consumer VPC Setup:

    • VPC Endpoint:

      • You create a VPC Endpoint in the Consumer VPC.

      • This endpoint connects to the VPC Endpoint Service in the Provider VPC using the service name provided by the Provider VPC.

Traffic Flow

  1. From Consumer VPC to Provider VPC:

    • Traffic originates from an EC2 instance in the Consumer VPC.

    • The traffic is routed through the VPC Endpoint created in the Consumer VPC.

    • The VPC Endpoint uses AWS PrivateLink to connect securely to the VPC Endpoint Service in the Provider VPC.

    • AWS PrivateLink leverages the NLB in the Provider VPC to route traffic to the appropriate application instances.

Diagram Revisited

In the provided diagram:

  • The Provider VPC (on the right side):

    • Hosts the application instances in the private subnet.

    • Uses an NLB to distribute traffic.

    • Provides a VPC Endpoint Service (using AWS PrivateLink).

  • The Consumer VPC (on the left side):

    • Contains an EC2 instance that needs to access the application in the Provider VPC.

    • Uses a VPC Endpoint to connect to the VPC Endpoint Service in the Provider VPC.

Let's clarify the concepts of VPC Endpoint Service and AWS PrivateLink, and how they interact with each other.

### VPC Endpoint Service

A VPC Endpoint Service is a service that you create within your VPC to expose your application or service to other VPCs via AWS PrivateLink. Here’s how it works:

1. Create Your Service: Run your application or service on EC2 instances within your VPC.

2. Network Load Balancer (NLB): Use a Network Load Balancer to front your service.

3. VPC Endpoint Service: Create a VPC Endpoint Service, associating it with your NLB. This service will have an endpoint service name that other VPCs can use to connect to your service.

### AWS PrivateLink

AWS PrivateLink is the underlying technology that facilitates secure, private connectivity between VPCs and AWS services or between VPCs and your own services. It ensures that traffic does not traverse the public internet.

### VPC Endpoint

A VPC Endpoint (specifically an Interface Endpoint) is the resource you create in your VPC to connect to an AWS service or a VPC Endpoint Service in another VPC using AWS PrivateLink.

### How They Connect When setting up private communication between VPCs, the VPC Endpoint in one VPC (the consumer) connects to the VPC Endpoint Service in another VPC (the provider) using AWS PrivateLink.

### Steps to Connect

1. Service Provider VPC:

- Service: Deploy your service on EC2 instances.

- NLB: Create a Network Load Balancer to front your service.

- VPC Endpoint Service: Create a VPC Endpoint Service associated with the NLB. This service gets an endpoint service name.

2. Service Consumer VPC:

- VPC Endpoint: Create an Interface Endpoint in your VPC. Specify the endpoint service name of the VPC Endpoint Service you want to connect to.

- Private DNS: Optionally, enable private DNS to resolve the service name to the private IP addresses of the NLB.

### Diagram Description

1. Service Provider VPC:

- EC2 Instances: Running the application.

- NLB: Network Load Balancer fronting the service.

- VPC Endpoint Service: Associated with the NLB.

2. Service Consumer VPC:

- VPC Endpoint (Interface Endpoint): Connects to the VPC Endpoint Service in the provider VPC.

- Private DNS: Resolves the service name to private IPs.