AWS Private Link vs VPC Endpoint

Question

What is the difference between Private Link and VPC endpoint? As per the documentation it seems like VPC endpoint is a gateway to access AWS services without exposing the data to internet. But the definition about AWS private link also looks similar.

Reference Link: https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html

Does Private Link is the superset of VPC endpoint?

It would be really helpful if anyone provides the difference between these two with examples!

Thanks in Advance!

Answer 1

AWS defines them as:

VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.

AWS PrivateLink — A technology that provides private connectivity between VPCs and services.

So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs. These services can be your own, or provided by AWS.

Let's say that you've developed some application and you are hosting it in your VPC. You would like to enable access to this application to services in other VPCs and other AWS users/accounts. But you don't want to setup any VPC peering nor use Internet for that. This is where PrivateLink can be used. Using PrivateLink you can create your own VPC endpoint services which will enable other services to use your application.

In the above scenario, VPC interface endpoint is a resource that users of your application would have to create in their VPCs to connect to your application. This is same as when you create VPC interface endpoint to access AWS provided services privately (no Internet), such as Lambda, KMS or SMS.

There are also Gateway VPC endpoints which is older technology, replaced by PrivateLink. Gateways can only be used to access S3 and DynamoDB, nothing else.

To sum up, PrivateLink is general technology which can be used by you or AWS to allow private access to internal services. VPC interface endpoint is a resource that the users of such VPC services create in their own VPCs to interact with them.

Answer 2

A useful way in understanding differences is in how they technically connect private resources to public services.

Gateway Endpoints route traffic by adding prefix lists within a VPC route table which targets the Gateway endpoint. It is a logical gateway object similar to a Internet Gateway.

In contrast, an Interface Endpoint uses Privatelink to inject into a VPC at the subnet level, via an Elastic Network Interface (ENI), giving network interface functionality, and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.

The differences in connections offer differing advantages and disadvantages (availability, resiliency, access, scalability, and etc), which then dictates how best to connect private resources to public services.

Privatelink is simply a very much abstracted technology to allow a more simplified connection by using DNS. The following AWS re:Invent offers a great overview of Privatelink: https://www.youtube.com/watch?v=abOFqytVqBU

Answer 3

Suppose there is a website xyz.com that I am hosting in a bunch of Ec2 instances, exposed to the outside world thru a Network load balancer. Now, a client who has his/her own AWS account, wants to access this xyz.com from an Ec2 running in their aws account.

One approach is to go thru the Internet. However the client wants to avoid the internet route. He/she wants to use the AWS backbone to reach xyz.com. The technology that enables that, is AWS Private link. (note that if you search for Private Link in the AWS services, there will be none. You will get "End point services" as the closest hit)

So, this is how to route traffic through the AWS backbone:

1. I, the owner of xyz.com, will create a VPC End Point Service (NOTE the keyword Service here) The VPC End point service will point to my Network load balancer. I will then give my VPC End point service name to the client.
2. The client will create a VPC End Point (NOTE.. this is different from #1). While creating it, the client will specify the VPC End Point Service name (from #1) that he got from me.
3. I can choose to be prompted to accept the connection from the client to my VPC End point service. As soon as I accept it, then the client can reach xyz.com from his/her EC2 instance. There is no Internet, no direct connect or VPN.. this simply works; and its secure. And which technology enabled it.. AWS Private link !!!

PRIVATE LINK IS THE ONLY TECHNOLOGY THAT ALLOWS 2 VPCS TO CONNECT THAT HAVE OVERLAPPING CIDR RANGES.

Answer 4

As you correctly mentioned in the question that both VPC endpoint and AWS private link do not expose to internet. On AWS console under VPC, there is a clear option available to create an endpoint. But there is no option/label to create AWS private link. Actually, there is one more option/label called endpoint service. Creating endpoint service is one way to establish AWS private link. At one side of this AWS private link is your endpoint service and at the other side is your endpoint itself. And interestingly we create both these sides in two different VPCs. In other words, you are connecting two VPCs with this private link (instead of using internet or VPC peering).

understand like, VPC1 got endpoint service ----> private link -----> VPC2 got endpoint

Here endpoint service side is service provider while endpoint is service consumer. So when you have some service (may be some application or s/w) that you think other VPC endpoints can consume you create endpoint service at your end and consumers will create endpoints at there end. When consumers create endpoints at their end they have to give/select your service name and thus private link will be established with your service.

Ultimately you can have multiple consumers of your service just like one to many relationship.