AWS PrivateLink enables private connectivity between Virtual Private Clouds (VPCs) and AWS services, third-party SaaS applications, or on-premises environments without exposing traffic to the public internet.
AWS provides the following types of VPC endpoints under PrivateLink:
1. Interface Endpoint
An Interface Endpoint allows you to send TCP or UDP traffic to an endpoint service using private IPs within your VPC. It resolves traffic using DNS and does not require an internet gateway, NAT gateway, or VPN connection.
Use Cases:
- Private access to AWS services (e.g., S3, DynamoDB, Secrets Manager).
- Secure communication with third-party SaaS applications.
- Connecting to internal applications across AWS accounts and VPCs.
2. Gateway Load Balancer Endpoint
A Gateway Load Balancer Endpoint forwards traffic to a fleet of virtual appliances using private IP addresses. It is used for security and network inspection services. Traffic is routed through the endpoint using VPC route tables, and the Gateway Load Balancer distributes the traffic across virtual appliances.
Use Cases:
- Deploying firewalls, intrusion detection systems (IDS), or security appliances.
- Load balancing traffic to security appliances.
- Scaling security services with demand.
3. Resource Endpoint
A Resource Endpoint provides private access to a resource shared from another VPC. This allows secure communication with services such as databases, EC2 instances, application endpoints, or private IP addresses in another VPC or an on-premises environment.
Use Cases:
- Securely accessing a database or application in another VPC.
- Private communication between on-premises environments and AWS.
- Direct connectivity to private resources without requiring a load balancer.
4. Service Network Endpoint
A Service Network Endpoint provides access to a service network that was either created by you or shared with you. It allows private access to multiple resources and services associated with a service network using a single endpoint.
Use Cases:
- Private and secure access to multiple services via a single endpoint.
- Consolidated access to applications, databases, and microservices in a shared network.
- Secure multi-account and multi-VPC service access.
Summary of AWS PrivateLink VPC Endpoint Types
| Endpoint Type | Purpose | How It Works | Key Use Cases |
|---|---|---|---|
| Interface Endpoint | Private access to AWS services & third-party applications | Uses private IPs and DNS resolution | Access AWS services like S3, DynamoDB, and SaaS applications |
| Gateway Load Balancer Endpoint | Load balancing & security traffic inspection | Routes traffic to security appliances via VPC route tables | Deploy firewalls, intrusion detection systems, and network monitoring |
| Resource Endpoint | Private access to shared VPC resources | Directly connects to shared resources across VPCs or on-premises | Access databases, EC2 instances, and applications in another VPC |
| Service Network Endpoint | Centralized access to a service network | Single endpoint for multiple resources | Secure, consolidated access to shared applications and services |