AWS PrivateLink

AWS PrivateLink

This setup will allow specific Tray connectors to reach your services hosted on AWS. VPC Endpoints are what facilitate this type of connectivity - using a technology called PrivateLink. PrivateLink enables private connectivity between VPCs and supported AWS services hosted by other AWS accounts, as well as third-party services on AWS Marketplace.

Key points in using PrivateLink

• Traffic will stay within the AWS backbone and hence won’t be exposed to the public internet
• A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection or any other networking component hence we are looking at a simplified buildout topology and less costs.
• There is no option to natively encrypt this traffic, unless we use application-level tools such as TLS.

AWS PrivateLink required info

AWS PrivateLink setup process

1. We set up a separate Tray VPC network which does not overlap with your network and will not require you to reserve a large chunk of routes
2. We deploy the relevant connectors inside that dedicated VPC
3. We then create and host a VPC Endpoint
4. This endpoint will request connectivity to your network which normally requires manual acceptance by your AWS admins ('auto-accept' is not a recommended security practice)
5. Once accepted, our connectors will be able to reach the services hosted in your VPC

AWS PrivateLink technical considerations

• In this scenario:
• Tray will become a Service Consumer
• You become a Service Producer
• As per the above diagram Tray hosts the VPC Endpoint and will point it towards a fully qualified service name that is provided to us by you.
• Your VPC endpoint service which supports integration with PrivateLink should be put behind a Network Load Balancer