Reputation: 731
What is the difference between AWS PrivateLink and VPC Peering?
Is VPC Peering secure? Do VPC Peering and PrivateLink not use an internet gateway or any other gateway?
Upvotes: 42
Views: 57658
Answers (5)
Reputation: 455
Although multiple scenario when to choose VPC peering over AWS PrivateLink or vice-versa but few use case:- When to use VPC peering connection over AWS Private Link.
- Peering two or more VPCs to provide full access to resources
- Peering to one VPC to access centralized resources
- Peering with Classic Link
When to use AWS PrivateLink over VPC peering connection
- Acceptor VPC have a CIDR block that overlaps with the CIDR block of the requester VPC. In this case you can try with PrivateLink
Upvotes: 1
Reputation: 6345
Let's understand this by a real-life use case
Suppose You have your Own VPC (created by you using your own AWS Account) in which you have few EC2 instances that wants to communicate with instances running in your Client's VPC - obviously this VPC is created by your client using his/her AWS Account - Use VPC Peering to achieve this communication requirement
Now consider you have your OWN VPC (created by you using your own AWS Account) with EC2 Instance running inside it, and using the same AWS account you uploaded some files in S3. And your EC2 Instance now wants to read content of the file in S3.
In this case you will configure VPC Endpoint - which uses PrivateLink technology - AWS PrivateLink allows you to privately access services hosted on the AWS network in a highly available and scalable manner, without using public IPs and without requiring the traffic to traverse the internet.
Hope this helps!
Upvotes: 17
Reputation: 331
VPC Peering vs PrivateLink
These 2 developed separately, but have more recently found themselves intertwined.
VPC Peering - applies to VPC
PrivateLink - applies to Application/Service
With VPC Peering you connect your VPC to another VPC. Both VPC owners are involved in setting up this connection. When one VPC, (the visiting) wants to access a resource on the other (the visited), the connection need not go through the internet.
PrivateLink provides a convenient way to connect to applications/services by name with added security. You configure your application/service in your VPC as an AWS PrivateLink-powered service (referred to as an endpoint service). AWS generates a specific DNS hostname for the service. Other AWS principals can create a connection to your endpoint service after you grant them permission.
VPC Peering + PrivateLink
As of March 7, 2019, applications in a VPC can now securely access AWS PrivateLink endpoints across VPC peering connections. AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections. More on this
Notes on VPC Peering
VPC peering allows VPC resources including ... to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances. ...Traffic always stays on the global AWS backbone, and never traverses the public internet
Inter-Region VPC Peering provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
Notes on Endpoint Services
When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that you can use to communicate with the service. These names include the VPC endpoint ID, the Availability Zone name and Region Name, for example,
vpce-1234-abcdev-us-east-1.vpce-svc-123345.us-east-1.vpce.amazonaws.com. By default, your consumers access the service with that DNS nameWhen you create an endpoint, you can attach an endpoint policy to it that controls access to the related service
An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
Upvotes: 28
Reputation: 190
VPC peering is service by AWS to facilitate communications between 2 VPC in the same or different region. I would prefer to set up a VPC peering between 2 private subnets, so the EC2 instances in the private subnets can connect to each other as if they are part of the same network.
VPC Private Link is a way of making your service available to set of consumers. You can expose a service and the consumers can consume your service by creating an endpoint for your service.
VPC as a service provided by AWS can be accessed over the internet. It does not mean it is unsecured. In AWS console you can make the customized configuration as per your requirements for network security and make your network more secure.
There are many features provided by AWS using which you can make your VPC secure.
More details are shared in the below article
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html
Upvotes: -6
Reputation: 269911
VPC Peering allows connectivity between two VPCs. It's just like normal routing between network segments.
VPC PrivateLink allows you to publish an "endpoint" that others can connect with from their own VPC. It's similar to a normal VPC Endpoint, but instead of connecting to an AWS service, people can connect to your endpoint. Think of it as a way to publish a private API endpoint without having to go via the Internet.
In both cases, no traffic goes across the Internet. Connectivity is directly between the VPCs.
Upvotes: 86
Related Questions
- AWS Private Link vs VPC Endpoint
- Difference between AWS Site-to-Site VPN and AWS VPC peering?
- Private link vs VPC peering
- AWS VPC Endpoints: What's the different between the private DNS records
- Why AWS recommends to avoid the use of public/internet gateways in favor of AWS PrivateLink and VPC endpoints?
- Main difference between the two different types of VPC links in AWS
- Peering AWS VPC private to NAT
- AWS VPC private link - API gateway
- How do AWS Direct connect and VPC peering differ ?
- AWS VPC Peering