AWS PrivateLink is a networking service that allows you to increase the security, scale, and resiliency of your services. In this session, we review the way AWS PrivateLink works, best practices, and how to increase availability and security. We review how to set up both the consumer and provider sides of PrivateLink, use cases, and interoperability with other AWS services. Whether you want to consume services in a more scalable and private way or you have services you want to share with others, we help you understand best practices for AWS PrivateLink.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best Practices for AWS PrivateLink
N E T 3 0 1
James Devine
Senior Solutions
Architect
Puneet Konghot
Senior Product
Manager, EC2
Paul Revello
Cloud Architect,
HSBC

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
• 300 level session – you should have at least a basic understanding
of PrivateLink
• Deep dive into data flows, architectures, use cases, and best
practices
• You don’t need to be a networking guru, PrivateLink is actually
pretty simple!

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Intro
• Use cases for PrivateLink
• Best Practices
• Customer use case: HSBC
• Q&A

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why PrivateLink?
• Customers have many VPCs
• Need private connectivity between VPCs
• Access to AWS services through private IPs
• Desire to limit/remove the need for IGWs

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why PrivateLink? – Brings a service into a VPC
Service ProviderService Consumer
Consumer VPC Provider VPC
VPCE NLB
Region : us-east-1
• Combines two important cloud concepts:
• Virtual private cloud (VPC) – A private network that can be isolated from the Internet
• Software delivered as a service – Owned and operated by the provider, consumed by consumer
• PrivateLink makes it possible to consume a service without traversing the Internet

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is PrivateLink?
• Services specific link between a consumer VPC and a provider VPC
• Interface VPC endpoint in consumer VPC
• One or more ENIs
• DNS names at regional and zonal level
• NLB as service frontend in provider VPC
• Uses hyperplane to link VPCE to NLB
• Eliminates the need for NAT, VPN, proxy devices
• Can operate across VPCs that have overlapping IP spaces
• Three types of services accessible over PrivateLink
• AWS services
• Customer hosted internal services
• 3rd-party services (SaaS)

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How it work for AWS Services
AWS ServiceConsumer VPC
Consumer VPC
AWS Service
VPCE
us-east-1
Internet

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How it work for Consumer and and SaaS Services
Provider/SaaS VPCConsumer VPC
Consumer VPC Provider VPC
VPCE NLB
us-east-1
Internet

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPCE vs. ENI
• A VPC endpoint is a collection of ENIs
spanning subnets
• Within a subnet, a VPCE is represented as
an ENI
• At most one ENI per AZ
• An ENI is used to connect to a PrivateLink
enabled service
Service Consumer VPC
AZ a
VPCE
AZ b
AZ c
AZ d

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Existing applications – NLB
Shared Service VPC (service provider)
AZ a
NLB
AZ b
AZ c
VPC (service consumer)
VPC (service consumer)

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Existing apps - Proxy
Proxy VPC (service provider)
AZ a
NLB
AZ b
AZ c
VPC (service consumer)
VPC (service consumer)
Service VPC
Service VPC
VPC peering
VPC peering

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Microservices
Microservices VPC (service provider)
NLB
VPC (service consumer)
Microservices VPC (service provider)
NLB
VPC (service consumer)

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Accessing services in AWS from On-prem
Shared Services VPC (Service Consumer)corporate data center
On-prem
servers
Direct
Connect
VPN
Service Provider
NLB

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access to On-prem resources through DX or VPN
Shared Services VPC (service provider)
NLB
corporate data center
On-prem
servers
VPC (service consumer)
VPC (service consumer)
Direct
Connect
VPN

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sharing VPCEs across VPCs
Shared Services VPC (Service Consumer)
VPC
corporate data center
On-prem
servers
Route53
Resolver
Transit
Gateway
VPC
VPC
VPN

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region connectivity to services
eu-west-1
us-east-1
VPC (service consumer)
VPC (service consumer)
VPC (service consumer)
inter-region
VPC peering
VPC (service provider)
NLB

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Presenting services in another region
us-east-1
VPC (service consumer) VPC (service provider)
NLB
eu-west-1
VPC (service consumer) VPC (service provider)
NLB
inter-region
VPC peering

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SaaS for service providers

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Carefully consider DNS
• Choose a DNS strategy that works for your architecture
• Options for DNS
• Use “Private DNS name” option to automatically create private DNS names
• Use AWS assigned public DNS names for each interface endpoint
• Create private CNAME/ALIAS to interface endpoint in Amazon Route 53 private hosted
zone
• Use Route 53 Resolver and/or on-premise DNS server

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS example: Private DNS name

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DNS example: AWS assigned public DNS names

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Service VPC (10.128.14.0/23)
VPC (10.0.16.0/24)
AZ 1a + 1b
10.0.16.[x]
Workload Instance
CloudWatch
AZ 1a
10.128.14.25
AD Node 1
AZ 1b
10.128.15.10
AD Node 2
VPC Peering
DNS example: Route 53 resolver
Route 53
Resolver
logs.us-east-1.amazonaws.com
corp.example.com

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Consider the zonal nature of PrivateLink
• PrivateLink data path operates within a zone
• Interface VPCE ENIs map to NLB ENIs in the same AZ
• Consumer applications should use VPCE regional DNS name
• Resilient to AZ level issues
• Service provider NLB should be deployed in most, if not all, AZs
• Carefully consider whether to enable cross-zone load balancing

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service access using VPCE regional DNS name
Service Consumer Service Provider
NLB
AZ - A
VPCE
AZ - B
AZ - C

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-zone load balancing
Service Consumer Service Provider
NLB
AZ - A
VPCE
AZ - B
AZ - C

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service provider – Deploy NLB in every AZ

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service provider – Whitelisting principals
• Whitelist at least at the account level, more granular if required
• For public service * principal can be used

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Service provider – Endpoint acceptance
• Require acceptance for sensitive services
• Leverage SNS notifications to automate approval workflow
• For public services auto-accept can be enabled (or if using whitelisted
principals)

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost
• Consumer billed on
• Cost per GB processed
• Cost per VPC endpoint ENI
• Cross-zone data transfer
• Service provider billed on
• NLB
• NLB traffic cross-zone
• No charges specifically for PrivateLink
• Choose appropriate number of subnets (AZs) per VPCE

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cost
Service Consumer Service Provider
NLB*
AZ - A
VPCE
AZ - B
AZ - C
$
$
$
$
$$
$ - Consumer
$ - Provider
*standard NLB charges
$
$

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. HSBC - The World’s Leading International Bank
Our organization is large, diverse, and complex

37. AWS - A key component of our strategy
Core system
abstraction
to deliver our
more dynamic
customer
engagement
components
Leveraging
data
to enable
personalised,
real-time
alerts,
notifications,
and
reminders
Increasing agility
& scalability
through strategic
use of AWS
infrastructure
and technology
services
Increasing
security
by building
consistency
and
governance
into our use of
Cloud
technologies

38. Our AWS estate is significant and complex
Ten
major business
units & functions
6
regions
90
AWS services
>200
AWS accounts
1200
HSBC DevOps
Engineers
Why PrivateLink?
Decoupling of infrastructure
in a secure, controllable
manner
Limit blast radius while
enabling usage of shared
patterns
Integrate new services with
on-premise systems quickly
and securely

39. Reality of shared VPCs at scale
- VPC limits
- Large blast radius
- SG and route table sprawl
- Increased complexity
PrivateLink to decouple
VPC App 1 VPC App 2
VPC App 3
VPC App 5 VPC App 4
VPC Shared Service 1
VPC App 6
VPC App 7
VPC App 8
VPC Shared Service 2
Instances Instances Instances
Instances
Instances
Instances
Instances
Instances Instances
Instances

40. Making things better
- No peering
- Routing table stays unchanged
- Blast radius decreased
- Simpler ENI based model
PrivateLink to decouple
VPC App 1 VPC App 2 VPC App 3 VPC App 5VPC App 4
VPC Shared Service 1
VPC App 6 VPC App 7 VPC App 8
VPC Shared Service 2
Instances Instances

41. A CASE STUDY:
How we can design to deliver services at pace while staying loosely coupled
On-
Premise
VPC 1
ENI 1
ENI 2
VPC 3VPC 2
VPC 4
VPC 5Instances
ENI
Instances
ENI
ENI
Instances
Easy on premise integration
- Applications presented in a single VPC
- Simplified DX and routing
- Blast radius decreased
- Loosely coupled services without peering
Instances
Compute
Compute

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where to start?
• Greenfield
• Loose coupling – PrivateLink as glue
• Micro-segmentation/micro-services
• Existing apps
• Determine where you can de-couple connections
• Proxy applications that will support it
• Leverage NLB for services
• On-prem access
• Leverage VPN/Direct Connect to extent to on-prem
• Inter-region
• Leverage inter-region peering to quickly extend to other regions
• Gradually build out infrastructure in additional regions

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

44. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
James Devine, Puneet Konghot,
and Paul Revello

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.