AWS PrivateLink enables you to securely access services hosted on AWS. Come to this session and learn the fundamentals of AWS PrivateLink, including VPC design, VPC endpoint, Network Load Balancer, and more. Discover the benefits and use cases for connecting your VPC with services based on AWS over AWS PrivateLink, and hear about the AWS services that are related to AWS PrivateLink, including AWS Direct Connect, Amazon Route 53, and others. This mid-level architecture discussion is aimed at architects, network administrators, and technology decision makers who want to understand how to connect their Amazon VPCs to SaaS services in a secure and scalable manner.

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Carl Johnson - Solutions Architect
SRV211
AWS PrivateLink: Fundamentals
Securely Accessing Services Hosted on AWS

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
• Benefits of AWS PrivateLink
• Recap of VPC concepts
• How to use AWS PrivateLink
• With AWS services
• With AWS Marketplace services
• With your own applications
• Use cases

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of using AWS PrivateLink

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits of AWS PrivateLink
Secure your traffic Simplify network
management
Accelerate hybrid
cloud migration

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure your traffic
• Use private IP connectivity
• Authorize traffic with security groups
• Traffic doesn’t traverse the Internet

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Simplify network management
• Connect services across VPCs
• Share services between different accounts
• Don’t need internet gateway, NAT device, public
IP address, VPC peering, or VPN connection

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accelerate hybrid cloud migration
• Works over AWS Direct Connect
• Maintain regulatory compliance
• Securely use cloud services

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC fundamentals for AWS PrivateLink

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC fundamentals for AWS PrivateLink
Subnets and
Availability Zones
Routing in your VPC Authorizing traffic Elastic network
interfaces
VPC subnet

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets and Availability Zones
VPC Subnet

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c
Region
eu-west-1 (Ireland)

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPCIGW

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing in your VPC
• Route tables contain rules for which packets go where
• Your VPC has a default route table
• But, you can assign different route tables to different
subnets

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traffic destined for my VPC
stays in my VPC

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Everything that isn’t destined for the VPC:
send to the internet gateway (i.e., the internet)

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Routing by subnet
VPC subnet - webservers
VPC subnet - backends
Has route to internet
Has no route to internet

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network security in your VPC:
Security groups

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security groups follow application structure

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Web servers
Allow all HTTP traffic

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security groups example: Backends
Allow application traffic from
web servers only

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic network interfaces

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic network interfaces
• Virtual networking card
• Has a private IP in the address range of your subnet
• Can be owned by you or managed by an AWS service
• Apply security groups to an elastic network interface

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accessing AWS services from VPC

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accessing AWS services from VPC
Gateway VPC endpoints for
AWS
Interface VPC endpoints for
AWS

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon S3 and your VPC
S3 bucket
Your applications
Your data

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gateway VPC endpoints

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints: Amazon S3 and Amazon DynamoDB
S3 bucket
Route S3-bound traffic
to the VPC endpoint

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Interface VPC endpoints

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS PrivateLink for AWS services
Private IP:
10.10.1.6
Private IP:
10.10.2.10
vpce-….ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1a.ec2.eu-west-1.vpce.amazonaws.com
vpce-…eu-west-1b.ec2.eu-west-1.vpce.amazonaws.com
ec2.eu-west-1.amazonaws.com
EC2 APIs

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Providing and using shared services over
AWS PrivateLink

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Providing and using shared services
Providing shared
services
Using shared services Using third-party
services

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Walkthrough: Sharing a service

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing a service without AWS PrivateLink
Load Balancer

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: Network Load Balancer
Use multiple Availability Zones

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service
Review requests from service
consumers

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service
This is what you share with
your service users

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: VPC endpoint service

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setting up your service: AWS Marketplace

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enhancement for AWS Marketplace services:
Vanity DNS names
vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Service’s base DNS name
service ID region sub-domain
vpce-12345.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
Endpoints’ DNS name on client side
VPC endpoint ID
vpce-67890.vpce-svc-1a2b3c4d.us-east-1.vpce.amazonaws.com
base DNS name

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enhancement for AWS Marketplace services:
Vanity DNS names
us-east-1.vpce.myexample.com
Service’s vanity DNS name
region sub-domain
vpce-12345.us-east-1.vpce.myexample.com
Endpoints’ DNS name on client side
VPC endpoint ID
vpce-67890.us-east-1.vpce.myexample.com
vanity base DNS name
✓ Easier recognition of
service endpoints
✓ Straightforward TLS
termination

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Walkthrough: Using shared services

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using shared services

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using shared services

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using shared services
Service user Service provider
These point to the endpoint
from inside your VPC

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing services over AWS PrivateLink
Network Load
Balancer (NLB)
Endpoint Service vpce-svc-0d8d
Private IP:
10.10.1.6
endpoint
vpce-1234
vpce-1234-ktfdt2an.vpce-svc-0d8d.us-east-
1.vpce.amazonaws.com
Cool Shared
Service

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Walkthrough: Using third-party services

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using third-party services
2.
3.
1.

53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases

54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use cases
• Securely access SaaS applications
• Maintain regulatory compliance
• Migrate to hybrid cloud

55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recap

56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recap
• Secure your traffic
• Simplify network management
• Accelerate hybrid cloud migration

57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Submit session feedback
1. Tap the Schedule icon.
2. Select the session you
attended.
3. Tap Session Evaluation to
submit your feedback.

58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!