Private link, VPC Interface Endpoint, VPC Gateway Endpoint, Direct Connect & VPC Peering
1️⃣ VPC Endpoint (Big Picture)
A VPC Endpoint lets your VPC privately access AWS services without using the Internet, NAT Gateway, or IGW.
There are two types:
- 🧩 Interface Endpoint
- 🚪 Gateway Endpoint
👉 AWS PrivateLink is the technology behind Interface Endpoints.
2️⃣ Interface Endpoint (Powered by AWS PrivateLink)
🔹 What it is
- Creates Elastic Network Interfaces (ENIs) in your subnet
- You access services using private IPs
- Uses AWS PrivateLink
🔹 Supported services
- Most AWS services: SSM, EC2 API, CloudWatch, ECR, Secrets Manager
- Your own services (via NLB)
- SaaS / third-party services
🔹 Key points
- Works across VPCs and accounts
- Uses Security Groups
- Charged per hour + per GB
🎨 Diagram
🧠 When to use
✅ Private access to AWS services
✅ Expose your service to other VPCs safely
✅ No CIDR overlap issues
3️⃣ Gateway Endpoint
🔹 What it is
- Adds routes in your route table
- No ENIs, no Security Groups
Only supports:
- 🪣 S3
- 📦 DynamoDB
- Free
- Scales automatically
- Traffic stays inside AWS network
🎨 Diagram
🧠 When to use
✅ Access S3/DynamoDB privately
✅ Cheapest & simplest option
4️⃣ AWS PrivateLink (Concept)
🔹 What it really is
PrivateLink = Secure service exposure using Interface Endpoints
Think of it as:
“I want to expose my service privately without opening my VPC.”
🎨 Diagram
🧠 When to use
✅ SaaS-like architecture
✅ Cross-account secure access
✅ No VPC peering / no CIDR worries
5️⃣ VPC Peering
🔹 What it is
- 1-to-1 private connection between two VPCs
- Uses private IPs
- No transitive routing
🔹 Key points
- Simple, but doesn’t scale well
- CIDR must not overlap
- No Security Group referencing across VPCs
🎨 Diagram
🧠 When to use
✅ Small number of VPCs
✅ Full network-level access
6️⃣ AWS Direct Connect
🔹 What it is
- Dedicated physical connection
- From on-premises → AWS
- Bypasses public internet
🔹 Key points
- Very low latency
- High bandwidth (1–100 Gbps)
- Costly but stable
🎨 Diagram
🧠 When to use
✅ Hybrid cloud
✅ Predictable latency & bandwidth
✅ Enterprise workloads
7️⃣ One-Look Comparison Table
| Feature | Interface Endpoint | Gateway Endpoint | PrivateLink | VPC Peering | Direct Connect |
|---|---|---|---|---|---|
| Internet needed | ❌ | ❌ | ❌ | ❌ | ❌ |
| ENI used | ✅ | ❌ | ✅ | ❌ | ❌ |
| Route table change | ❌ | ✅ | ❌ | ✅ | ❌ |
| Security Groups | ✅ | ❌ | ✅ | ❌ | ❌ |
| Cross-account | ✅ | ❌ | ✅ | ⚠️ | ✅ |
| CIDR overlap OK | ✅ | ✅ | ✅ | ❌ | ✅ |
| Typical use | AWS services | S3/DDB | SaaS / APIs | VPC-to-VPC | On-prem |
8️⃣ Simple Memory Trick 🧠
- 🧩 Interface Endpoint → “ENI + Private IP”
- 🚪 Gateway Endpoint → “Route table only”
- 🔒 PrivateLink → “Secure service publishing”
- 🔗 VPC Peering → “Flat VPC connection”
- ⚡ Direct Connect → “Private fiber to AWS”
No comments:
Post a Comment