Amazon Web Services is expanding its private cloud options with the launch of AWS PrivateLink, a new endpoint service designed for customers who want to access the cloud in a highly available and scalable manner yet keep all the traffic within AWS only.
As of the launch Nov. 9, the Kinesis, Service Catalog, Amazon EC2, EC2 Systems Manager and Elastic Load Balancing APIs are now available to use inside an AWS virtual private cloud. The company also said support for more services will be coming soon, including Key Management Service and Amazon Cloudwatch.
Since VPC Endpoints launched in 2015, creating Endpoints has been a popular way among users to securely access S3 and DynamoDB from an Amazon virtual private cloud without the need for an internet gateway, a NAT (network address translation) gateway, or firewall proxies. With VPC Endpoints, the routing between the VPC and the AWS service is handled by the AWS network, and IAM (identity and access management) policies can be used to control access to service resources.
‘Like Connecting a Virtual Cable’
“With traditional endpoints, it’s very much like connecting a virtual cable between your VPC and the AWS service,” AWS’s Colm MacCárthaigh, Senior Engineer for Amazon Virtual Private Cloud, wrote in a blogpost. “Connectivity to the AWS service does not require an Internet or NAT gateway, but the endpoint remains outside of your VPC.
“With PrivateLink, endpoints are instead created directly inside of your VPC, using Elastic Network Interfaces (ENIs) and IP addresses in your VPC’s subnets. The service is now in your VPC, enabling connectivity to AWS services via private IP addresses. That means that VPC Security Groups can be used to manage access to the endpoints and that PrivateLink endpoints can also be accessed from your premises via AWS Direct Connect.”
Using the services powered by PrivateLink, customers can now manage fleets of instances, create and manage catalogs of IT services and store and process data without requiring the traffic to traverse the public internet, MacCárthaigh said.
To support testing and advanced configurations, every endpoint also gets a set of DNS names that are unique and dedicated to the endpoint. There’s a primary name for the endpoint and zonal names.
The primary name is particularly useful for accessing your endpoint via Direct Connect, without having to use any DNS over-rides on-premises. Naturally, the primary name can also be used inside of your VPC.
“By default, with the Private DNS Name enabled, using a PrivateLink endpoint is as straight-forward as using the SDK, AWS CLI or other software that accesses the service API from within your VPC. There’s no need to change any code or configurations,” MacCárthaigh said.
Pricing and Availability
AWS PrivateLink is available as of Nov. 9 in all AWS commercial regions except China (Beijing). For the region availability of individual services, please check AWS’s documentation.
Pricing starts at $0.01 / hour plus a data processing charge at $0.01 / GB. Data transferred between availability zones, or between your Endpoint and your premises via Direct Connect will also incur the usual EC2 Regional and Direct Connect data transfer charges. For more information, see VPC Pricing.