VPC Endpoint
- Access AWS services (e.g. S3) without going via public Internet, no need for:
- Internet Gateway
- NAT Gateway
- VPN Connection
- Direct Connection
- Traffic does not leave Amazon network
- Endpoint is a virtual device - horizontally scalalable
- Increased security and reliability
VPC Endpoint Type: Interface (PrivateLink)
- Ability to connect to AWS PrivateLink services
- Visible as Elastic Network Interface in a subnet
- Can be accessed on-premise (via Direct Connect but not VPN or VPC Peering)
- Steps
- Create interface (choose "target")
- Specify subnets
- Each will get ENI
- Specify Security Group
- DNS name
- Allows seamless migration (name stays the same)
- Service Providers
- AWS Services
- EC2
- ELB
- SSM
- Kinesis Data Streams
- KMS
- Cloudwatch
- Endpoint Service
- Marketplace
- Use case
- Build a service
- Put behind NLB
- Sell your service to other AWS customers
- Use case
- AWS Services
VPC Endpoint Type: Gateway
- It's like "connecting a virtual cable between VPC and AWS"
- Endpoint created "outside" of VPC (unlike Interface Type)
- Target in route table
- Service identified by prefix list pl-xxxxxxxx
- AWS updates actual IP addresses automatically behind (i.e. works like an alias)
- Added to route table
- pl-1a2dfc3d -> vpce-11bdfd3df
- S3 sees private IP address of the requester
- VPC Endpoint and resource must be in the same region
- Supported services
- S3
- Bucket policy on sourceIP does not work for private IP
- instead: use policy that gives access to specific VPC
- Bucket policy on sourceIP does not work for private IP
- DynamoDB
- S3
VPC Endpoint Services
- Custom service that can be consumed by others
- Requires NLB and TCP traffic support
- Can be offered on Marketplace (listing)
- Acceptance
- Optional
- Service consumer requests access
- Service provider accepts
References
No comments:
Post a Comment