AWS PrivateLink: Securely Connect to Services via Private Network
Understand AWS PrivateLink and VPC Endpoint differences, and learn how to securely connect to AWS services and SaaS through private networks.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
AWS PrivateLink enables private connectivity from VPC to AWS services, SaaS, and services in other accounts without traversing the internet. S3/DynamoDB use free Gateway Endpoints; other services use paid Interface Endpoints (PrivateLink).
Exam Tip
Exam Essential: "S3, DynamoDB = Gateway Endpoint (free)", "Others = Interface Endpoint (PrivateLink, paid)", "Expose private service = Endpoint Service + NLB"
VPC Endpoint Types
Gateway Endpoint vs Interface Endpoint
| Aspect | Gateway Endpoint | Interface Endpoint |
|---|---|---|
| Supported Services | S3, DynamoDB only | Most AWS services + SaaS |
| Mechanism | Adds route to route table | Creates ENI in VPC (private IP) |
| PrivateLink | Not used | PrivateLink-based |
| Cost | Free | Paid ($0.01/hour + data) |
| Access Scope | Same-region VPC only | Also from on-premises, peered VPCs |
| Security Groups | Not supported | Supported |
| DNS | Uses existing DNS | Provides private DNS name |
Mechanism Comparison
Gateway Endpoint (S3):
[EC2] → Route Table → [Gateway Endpoint] → [S3]
(prefix list route) (VPC internal route)
Interface Endpoint (SQS):
[EC2] → [ENI] → [PrivateLink] → [SQS]
(private IP) (AWS network)
Exam Tip
S3 supports both: Gateway Endpoint (free, routing-based) and Interface Endpoint (paid, ENI-based) are both available. Gateway Endpoint is recommended for cost savings.
PrivateLink Use Cases
1. Private Access to AWS Services
EC2 in Private Subnet → SQS Access:
Via NAT Gateway (not recommended):
[EC2] → [NAT GW] → [IGW] → Internet → [SQS]
→ NAT GW cost + data transfer cost
Via PrivateLink (recommended):
[EC2] → [Interface Endpoint] → [SQS]
→ No internet traversal, enhanced security, NAT GW cost savings
2. Access Services in Other Accounts/VPCs
Service Provider (Account A):
[NLB] → [Application]
│
└── Create Endpoint Service (PrivateLink)
Service Consumer (Account B):
[EC2] → [Interface Endpoint] → [Endpoint Service] → [NLB] → [App]
Private access to
Account A's service
3. Private Access to SaaS Services
[VPC EC2] → [Interface Endpoint] → [Datadog / Snowflake / etc.]
(AWS Marketplace PrivateLink)
→ Monitoring data doesn't traverse internet
Endpoint Service (Service Provider)
Used to expose your own service via PrivateLink to other VPCs/accounts.
Components
Service Provider VPC:
┌──────────────────────────────────────┐
│ │
│ [Target Group] → [NLB] │
│ │ │ │
│ ▼ ▼ │
│ [EC2/ECS] [Endpoint Service] │
│ │ │
└──────────────────────│───────────────┘
│ PrivateLink
▼
┌──────────────────────────────────────┐
│ Consumer VPC: │
│ [EC2] → [Interface Endpoint (ENI)] │
└──────────────────────────────────────┘
| Component | Description |
|---|---|
| NLB or GWLB | Required, placed in front of service |
| Endpoint Service | Exposes NLB/GWLB via PrivateLink |
| Allow List | Specify allowed AWS accounts/IAM |
Exam Tip
Endpoint Service Keyword: "Expose your service privately to other VPCs/accounts" → NLB + Endpoint Service (PrivateLink)
PrivateLink vs Other Connectivity Options
| Comparison | PrivateLink | VPC Peering | Transit Gateway |
|---|---|---|---|
| Connection Scope | Specific service only | Entire VPC | Entire VPC |
| IP Overlap | Allowed | Not allowed | Not allowed |
| Direction | Unidirectional (consumer→provider) | Bidirectional | Bidirectional |
| Scalability | Per-service | Per-VPC | Hub-spoke |
| Use Case | Service exposure | VPC-to-VPC communication | Multiple VPC connections |
When to Choose PrivateLink
- CIDR Overlap: When VPC IP ranges overlap (Peering not possible)
- Minimal Exposure: Expose specific service, not entire VPC
- Multi-Consumer: Hundreds of VPCs accessing one service
- SaaS Provision: Provide private API to customers
Cost Optimization
NAT Gateway vs VPC Endpoint Cost Comparison
1TB S3 traffic per month:
NAT Gateway:
- Hourly: $0.045 × 730 = $32.85
- Data: $0.045/GB × 1024 = $46.08
- Total: $78.93/month
Gateway Endpoint (S3):
- Free
- Total: $0/month
→ Save $947/year with Gateway Endpoint
Interface Endpoint Pricing
Interface Endpoint cost (varies by region):
- Hourly: ~$0.01/AZ
- Data processing: $0.01/GB
Monthly cost (2 AZs):
$0.01 × 730 hours × 2 AZs = $14.60 + data cost
SAA-C03 Exam Focus Points
- ✅ Gateway vs Interface: "S3/DynamoDB = Gateway (free), others = Interface (paid)"
- ✅ Private Access: "No internet + security = VPC Endpoint"
- ✅ Service Exposure: "Expose service privately to other VPCs = NLB + Endpoint Service"
- ✅ Cost Savings: "S3 traffic NAT Gateway cost savings = Gateway Endpoint"
- ✅ IP Overlap: "CIDR overlap connectivity = PrivateLink (Peering not possible)"
Exam Tip
Sample Exam Question: "EC2 in private subnet needs to access S3. Want to avoid internet and minimize costs. What should you use?" → Answer: S3 Gateway Endpoint (free, no internet)
Frequently Asked Questions (FAQ)
Q: Should I use Gateway Endpoint or Interface Endpoint for S3?
Gateway Endpoint (free) is recommended for most cases. Interface Endpoint is needed when accessing S3 privately from on-premises via DX/VPN, or when accessing S3 in other regions.
Q: Does PrivateLink work across regions?
PrivateLink works within the same region by default. For cross-region PrivateLink connectivity, use Inter-Region VPC Peering or Transit Gateway together.
Q: Do I need an NLB to create an Endpoint Service?
Yes. Endpoint Service requires NLB (Network Load Balancer) or GWLB (Gateway Load Balancer). ALB cannot be directly connected.
Q: Can I apply security groups to VPC Endpoints?
Interface Endpoints support security groups. Gateway Endpoints use VPC Endpoint policies (IAM-based) instead of security groups for access control.
Q: Can I use PrivateLink and VPC Peering together?
Yes. You can use both based on purpose. Full VPC communication via Peering, specific service exposure via PrivateLink is a common pattern.