AWS Private Links Explained

Last Updated : 04-Oct-2020


AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access your services, AWS PrivateLink ensures your traffic is not exposed to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.

Private Link Setup

The following are the general steps to create an endpoint service.

  1. Create a Network Load Balancer for your application in your VPC and configure it for each subnet (Availability Zone) in which the service should be available. The load balancer receives requests from service consumers and routes it to your service. Configure your service in all Availability Zones within the Region.
  2. Create a VPC endpoint service configuration and specify your Network Load Balancer.

The following are the general steps to enable service consumers to connect to your service.

  1. Grant permissions to specific service consumers to create a connection to your endpoint service.
  2. A service consumer that has been granted permissions creates an interface endpoint to your service, optionally in each Availability Zone in which you configured your service.
  3. To activate the connection, accept the interface endpoint connection request. By default, connection requests must be manually accepted. However, you can configure the acceptance settings for your endpoint service so that any connection requests are automatically accepted.

The combination of permissions and acceptance settings can help you control which service consumers (AWS principals) can access your service. For example, you can grant permissions to selected principals that you trust and automatically accept all connection requests, or you can grant permissions to a wider group of principals and manually accept specific connection requests that you trust.

In the following diagram, the account owner of VPC B is a service provider, and has a service running on instances in subnet B. The owner of VPC B has a service endpoint (vpce-svc-1234) with an associated Network Load Balancer that points to the instances in subnet B as targets. Instances in subnet A of VPC A use an interface endpoint to access the services in subnet B.

 Using an interface endpoint to access an endpoint service


  • increased security as network traffic that uses AWS PrivateLink doesn’t traverse the public internet, reducing the exposure to threat vectors such as brute force and distributed denial-of-service attacks.
  • attach an endpoint policy, which allows you to control precisely who has access to a specified service
  • simpler network management as there is no need to configure an Internet gateway, VPC peering connection, or manage VPC Classless Inter-Domain Routing (CIDRs).
  • simpler migration of traditional on-premises applications to SaaS offerings hosted in the cloud since traffic is not exposed on the public internet

Use Cases

  • connect securely to SAS systems
  • preventing your sensitive data, such as customer records, from traversing the Internet helps you maintain compliance with regulations such as HIPAA, EU/US Privacy Shield, and PCI.
  • On-premises applications can connect to service endpoints in Amazon VPC over AWS Direct Connect or AWS VPN

Exam Tips

  • used to access thrird part y services securely
  • common in Finance and Medical application where compliance rules prevent use of public network
  • highly available via multiple endpoints
  • IPv4 and TCP only (IPV6 not supported)
  • Private DNS is supported (point at private link endpoints)
  • Can access services over Direct Connect, Site-to-Site VPN and VPC Peering


Using Template: Template Post
magnifier linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram