Summary
AWS PrivateLink is a highly available, scalable technology that you can use to privately connect your VPC to services and resources as if they were in your VPC. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the service or resource from your private subnets. Therefore, you control the specific API endpoints, sites, services, and resources that are reachable from your VPC.

You can use Amazon VPC to define a virtual private cloud (VPC), which is a logically isolated virtual network. You can allow the clients in your VPC to connect to destinations outside that VPC. For example, add an internet gateway to the VPC to allow access to the internet, or add a VPN connection to allow access to your on-premises network. Alternatively, use AWS PrivateLink to allow the clients in your VPC to connect to services and resources in other VPCs using private IP addresses, as if those services and resources were hosted directly in your VPC.

Service provider
The owner of a service is the service provider. Service providers include AWS, AWS Partners, and other AWS accounts. Service providers can host their services using AWS resources, such as EC2 instances, or using on-premises servers.
Resource provider
The owner of a resource, for example a database or an Amazon EC2 instance, is the resource provider. Resource providers include AWS services, AWS Partners, and other AWS accounts. Resource providers can host their resources in VPCs or on-premises.
Endpoint services
A service provider creates an endpoint service to make their service available in a Region. A service provider must specify a load balancer when creating an endpoint service. The load balancer receives requests from service consumers and routes them to your service.
By default, your endpoint service is not available to service consumers. You must add permissions that allow specific AWS principals to connect to your endpoint service.
Service names
Each endpoint service is identified by a service name. A service consumer must specify the name of the service when creating a VPC endpoint. Service consumers can query the service names for AWS services. Service providers must share the names of their services with service consumers.
Service states
The following are the possible states for an endpoint service:
Pending
– The endpoint service is being created.Available
– The endpoint service is available.Failed
– The endpoint service could not be created.Deleting
– The service provider deleted the endpoint service and deletion is in progress.Deleted
– The endpoint service is deleted.
Resource gateway
A resource gateway is a point of ingress into a VPC from where a resource is being shared. The provider creates a resource gateway to share resources from the VPC.
Service or resource consumers
The user of a service or resource is a consumer. Consumers can access endpoint services and resources from their VPCs or from on-premises.
VPC endpoints
A consumer creates a VPC endpoint to connect their VPC to an endpoint service or resource. A consumer must specify the endpoint service, resource, or service network when creating a VPC endpoint. There are multiple types of VPC endpoints. You must create the type of VPC endpoint that you require.
Interface
– Create an interface endpoint to send TCP or UDP traffic to an endpoint service. Traffic destined for the endpoint service is resolved using DNS.
GatewayLoadBalancer
– Create a Gateway Load Balancer endpoint to send traffic to a fleet of virtual appliances using private IP addresses. You route traffic from your VPC to the Gateway Load Balancer endpoint using route tables. The Gateway Load Balancer distributes traffic to the virtual appliances and can scale with demand.
Resource
– Create a resource endpoint to access a resource that was shared with you and resides in another VPC. A resource endpoint lets you privately and securely access resources such as a database, an Amazon EC2 instance, an application endpoint, a domain-name target, or an IP address that may be in a private subnet in another VPC or in an on premise environment. Resource endpoints don’t require a load balancer, and lets you access the resource directly.
Service network
– Create a service-network endpoint to access a service network that you created or was shared with you. You can use a single service-network endpoint to privately and securely access multiple resources and services that are associated to a service network.
There is another type of VPC endpoint, Gateway
, which creates a gateway endpoint to send traffic to Amazon S3 or DynamoDB. Gateway endpoints do not use AWS PrivateLink, unlike the other types of VPC endpoints.
Endpoint network interfaces
An endpoint network interface is a requester-managed network interface that serves as an entry point for traffic destined to an endpoint service, resource, or service network. For each subnet that you specify when you create a VPC endpoint, we create an endpoint network interface in the subnet.
If a VPC endpoint supports IPv4, its endpoint network interfaces have IPv4 addresses. If a VPC endpoint supports IPv6, its endpoint network interfaces have IPv6 addresses. The IPv6 address for an endpoint network interface is unreachable from the internet. When you describe an endpoint network interface with an IPv6 address, notice that denyAllIgwTraffic
is enabled.
Endpoint policies
A VPC endpoint policy is an IAM resource policy that you attach to a VPC endpoint. It determines which principals can use the VPC endpoint to access the endpoint service. The default VPC endpoint policy allows all actions by all principals on all resources over the VPC endpoint.
Endpoint states
When you create an interface VPC endpoint, the endpoint service receives a connection request. The service provider can accept or reject the request. If the service provider accepts the request, the service consumer can use the VPC endpoint after it enters the Available
state.
The following are the possible states for a VPC endpoint:
PendingAcceptance
– The connection request is pending. This is the initial state if requests are manually accepted.
Pending
– The service provider accepted the connection request. This is the initial state if requests are automatically accepted. The VPC endpoint returns to this state if the service consumer modifies the VPC endpoint.
Available
– The VPC endpoint is available for use.
Rejected
– The service provider rejected the connection request. The service provider can also reject a connection after it is available for use.
Expired
– The connection request expired.
Failed
– The VPC endpoint could not be made available.
Deleting
– The service consumer deleted the VPC endpoint and deletion is in progress.
Deleted
– The VPC endpoint is deleted.
Overview
You can access AWS services through their public service endpoints or connect to supported AWS services using AWS PrivateLink. This overview compares these methods.
Access through public service endpoints
Traffic to an AWS service from an instance in a public subnet is routed to the internet gateway for the VPC and then to the AWS service. Traffic to an AWS service from an instance in a private subnet is routed to a NAT gateway, then to the internet gateway for the VPC, and then to the AWS service. While this traffic traverses the internet gateway, it does not leave the AWS network.

Connect through AWS PrivateLink
First, you create an interface VPC endpoint, which establishes connections between the subnets in your VPC and an AWS service using network interfaces. Traffic destined for the AWS service is resolved to the private IP addresses of the endpoint network interfaces using DNS, and then sent to the AWS service using the connection between the VPC endpoint and the AWS service.

AWS services accept connection requests automatically. The service can’t initiate requests to resources through the VPC endpoint.
DNS hostnames
Most AWS services offer public Regional endpoints, which have the following syntax.
protocol://service_code.region_code.amazonaws.com
For example, the public endpoint for Amazon CloudWatch in us-east-2 is as follows.
https://monitoring.us-east-2.amazonaws.com
With AWS PrivateLink, you send traffic to the service using private endpoints. When you create an interface VPC endpoint, we create Regional and zonal DNS names that you can use to communicate with the AWS service from your VPC.
The Regional DNS name for your interface VPC endpoint has the following syntax:
endpoint_id.service_id.region.vpce.amazonaws.com
The zonal DNS names have the following syntax:
endpoint_id-az_name.service_id.region.vpce.amazonaws.com
When you create an interface VPC endpoint for an AWS service, you can enable private DNS. With private DNS, you can continue to make requests to a service using the DNS name for its public endpoint, while leveraging private connectivity through the interface VPC endpoint.