Shoin | Let's Share!

VPC Endpoint and Peering

Abdullah Caliskan -

VPC Endpoints

  • VPC endpoint provides access to public AWS services for resources that don't have public IP or where NAT gateway isn't deployed.
  • There are gateway (s3, dynamodb) and interface (most aws services) endpoints.

Gateway Endpoints

  • Uses routing.
  • They are present in route table via prefix lists which are represent the CIDR of service. Prefix lists are updated by AWS.
  • They can have associated policies which defines who can access.
  • They are highly available for all AZs in a Region.

Interface Endpoints

  • Provisions a networking object, ENI.
  • The provisioned ENI is your interface endpoint to connect the service.
  • That ENI has got ip/dns pair, Security group. NACL works in subnet level.
  • You can provision that ENI in multiple subnets, one per AZ. The applications will use DNS resolve. By doing that endpoints will be highly available.
  • Enable the Private DNS to override public default name of service. Also, you can give a different names for AWS services, because you will have private route 53 zone.

VPC Peering - Layer 3

  • VPC peering is a way to link or connect two VPCs together without using any additional non AWS services.
  • You can connect the services via private IP while VPC peering span AWS accounts, regions with limitations.
  • Data is encrypted and transits via the Global backbone with lower latency.
  • It's scalable and highly performant way.
  • Use Case:
    - Sharing database with other VPC and access to Database.
    - Security auditors can be connect your VPC and performs tests.
    - Vendor provided service, it should be a web API
    - Splitted application for blast radius
  • Peering connection is a gateway like NAT and IGW.
  • VPC overlap is the limitation for that. There is requester and accepter.
  • Adjust the route tables in both VPC side. Remote CIDR
  • NACLs and SGs can be used to control access because you will have an ENI in your VPC. If VPCs are in same region, you can reference SG id.
  • IPv6 support is available for cross-region
  • DNS Resolution to private IPs can be enabled. It's a setting needed to adjust both sides. It prevents the traffic leaves AWS.
  • Transitive Routing isn't supported. Let's say A-B and B-C are peered. It doesn't mean you can reach to C from A. You must create another peering between A-C