5.5 AWS PrivateLink and Endpoint Services
Key Takeaways
- AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.
- PrivateLink endpoint services let you expose your own services to other VPCs/accounts — the service provider creates an NLB, consumers create interface endpoints.
- PrivateLink is unidirectional: consumers connect to the provider, but the provider cannot initiate connections to consumers.
- PrivateLink does not require VPC peering, internet gateways, NAT, or VPN — it creates a private connection through the AWS network.
- Use PrivateLink when you need to expose a service to thousands of VPCs without managing VPC peering connections.
AWS PrivateLink and Endpoint Services
Quick Answer: PrivateLink creates private connections between VPCs and services using ENIs in your subnet. It powers Interface VPC Endpoints for AWS services and custom Endpoint Services for your own applications. No VPC peering, IGW, or NAT needed. Unidirectional: consumer → provider only.
How PrivateLink Works
Provider side:
- Deploy a service behind a Network Load Balancer (NLB)
- Create a VPC Endpoint Service pointing to the NLB
- Accept connection requests from consumer VPCs
Consumer side:
- Create an Interface VPC Endpoint pointing to the provider's endpoint service
- An ENI with a private IP is created in the consumer's subnet
- Applications connect to the private IP to access the provider's service
PrivateLink vs. VPC Peering
| Feature | PrivateLink | VPC Peering |
|---|---|---|
| Direction | Unidirectional (consumer → provider) | Bidirectional |
| Scope | Specific services/ports | All traffic between VPCs |
| Scale | Thousands of consumers per service | 1:1 connection per pair |
| CIDR overlap | Supported (no CIDR restrictions) | Not supported (CIDRs cannot overlap) |
| Transitive | No | No |
| Best for | Service exposure (SaaS, shared services) | Full VPC-to-VPC connectivity |
Use Cases
| Scenario | Solution |
|---|---|
| Access AWS services privately | Interface VPC Endpoint (PrivateLink) |
| Expose your API to partner VPCs | VPC Endpoint Service + NLB |
| SaaS integration without internet | PrivateLink to SaaS provider |
| Shared services across accounts | PrivateLink endpoint service |
On the Exam: "Expose a service to multiple customer VPCs without VPC peering" → PrivateLink endpoint service with NLB. "Access SQS from private subnet without internet" → Interface VPC Endpoint (PrivateLink).
A SaaS company needs to expose their service to hundreds of customer VPCs without requiring VPC peering or internet access. Which approach should they use?
What is a key advantage of AWS PrivateLink over VPC peering for service connectivity?