Share Internal APIs with several AWS accounts with PrivateLink

When we create an internal API within our VPC not exposed to the internet and want to share it with other Aws accounts, we have two options.

Option one, VPC Peering. Peer our VPC with each VPC, same or different account, which needs access. However, this process has some disadvantages.

  • It gets complicated once we have too many vpc to peer with, managing route tables, limiting access with security groups or nacl, etc.
  • Can peer only with a max of 125 VPCs.
  • Allows access to entire vpc (or subnets) to talk to each other.
  • Need a non-overlapping CIDR.

Second option PrivateLink, which solves all the problems mentioned above. In a few words

  • No vpc peering needed.
  • Private connectivity between APIs. No need for IGW, traffic flow through Aws backbone network. Just like vpc peering but with higher throughput.
  • Interface endpoints that provide a way to privately access all public AWS services like SNS, KMS, Cloudwatch, etc. is also powered by PrivateLink.

Here is how to setup privatelink for our use case.

Image for post

In-Service Provider VPC, i.e where service is running.

  • Create an API behind an NLB(Network Load Balancer) in private subnets(no IGW).
  • Create an Endpoint Service for this NLB.
  • Add all the principals which need access to this service, same or different AWS accounts.

In Consumer VPC i.e where service will be used.

  • Create an Endpoint pointing to EndPoint Gateway service name. Must choose a vpc with subnets in the same AZ as the service provider.
  • Point ALB to ip addresses of the Endpoint ENI.

This is extremely simple to set up and maintain across 100s or 1000s of Aws accounts. Lets me quickly go through this process step by step. All we need is two VPCs in the same or different Aws account.

Step 1: Set up a private API

We need an API running behind NLB, I decided to run a docker container in ECS Fargate.

  • Sign up for a free Kafka cloud account with Confluent or CloudKarafka.
  • Spin up the ECS Task by pulling docker image Kafka-UI and passing necessary environment variables to connect to a Kafka account. This image exposes a web UI for Kafka on port 5000.
  • Create a TargetGroup pointing to ECS service task private ip.

Image for post

  • Create an NLB in private subnet point to that NLB. Since they are private, can’t be tested from the browser. I quickly moved subnets to custom route table with IGW just to test and moved them back to route table with no internet.

Image for post

Step 2: Setup Vpc Endpoint Service

  • Head over to ‘EndPoint Services’ in vpc service and create one, select nlb created above. Choose Acceptance Required as ‘Yes’, this will allow accepting when a new consumer is added to this service.
  • Note the service name, we need it to share this with consumers.

Image for post

  • Add consumer aws account(s) in Principals.

Image for post

Step 3: Setup Vpc Endpoint in Consumer account

  • In the ‘Gateway’ section of Consumer Aws account vpc, create an endpoint. we need to give service name captured from service provider vpc gateway service and choose a vpc with subnets from the same AZ of the service provider NLB.
  • We need to accept this connection in the service provider vpc endpoint service console. This will show the status ‘available’.
  • Capture IP address of the endpoints.

Image for post

Step 4: Create an ALB to test the endpoint

  • Create a Target and choose target as IP and point to IP addresses of endpoint ENI.

Image for post

  • Then create a public facing ALB to point to the target.

Image for post

This is it. We have successfully deployed a private API within our vpc and let other services in totally different vpc and account access it without vpc peering and public internet. Use cases of private link are countless Here is an excellent re-invent video covering them in great detail.

This Post Has 10 Comments

  1. porno

    Grea post. I am going through a few of thdse issues as well.. Deb Arni Raymund

  2. erotik

    Wonderful, what a web site it is! This web site provides valuable data to us, keep it up. Kirstin Steffen Fortunato

  3. erotik izle

    Very good article! We will be linking to this great post on our site. Keep up the good writing. Timothea Alix Flanna

  4. erotik izle

    It is in point of fact a great and helpful piece of info. Linnet Rouvin Verna

  5. erotik izle

    You completed certain good points there. I did a search on the matter and found most folks will have the same opinion with your blog. Leodora Conant Bonnes

  6. erotik izle

    Excellent post. I will be experiencing some of these issues as well.. Avivah Marion Campagna

  7. film

    Excellent article! We are linking to this particularly great content on our website. Keep up the great writing. Lona Randi Hadwin

  8. film

    I always emailed this weblog post page to all my associates, as if like to read it next my friends will too. Mignon Enrico Strohbehn

  9. film

    Your means of telling everything in this post is in fact nice, all be capable of without difficulty know it, Thanks a lot. Stormie Valentine Mercorr

  10. film

    I like this internet site because so much useful material on here :D. Noella Pacorro Tomkin

Leave a Reply