AWS Networking & CDN
PrivateLink
Private connectivity to AWS and third-party services without internet exposure
AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications without exposing traffic to the public internet. It uses interface VPC endpoints (powered by ENIs in your VPC) to reach services privately, and enables SaaS providers to offer their services to customers without requiring VPC Peering or internet access.
How PrivateLink Works
PrivateLink uses the concept of an Endpoint Service (provider side) and an Interface VPC Endpoint (consumer side). Traffic flows from the consumer's ENI to the provider's NLB entirely within the AWS network.
| Component | Role | Key Detail |
|---|---|---|
| Interface VPC Endpoint | ENI in your subnet with a private IP pointing to the service | Created in consumer VPC; billed per AZ per hour |
| Endpoint Service | Service powered by an NLB that others connect to | Created by the service provider; must front with NLB |
| NLB (provider side) | Distributes traffic to service instances | Required for endpoint services; NLB handles health checking |
| Endpoint Policy | IAM-like policy controlling what the endpoint can access | Attached to the endpoint; restricts which resources/actions allowed |
| Private DNS | Optional; endpoint DNS overrides public service DNS | Enables transparent private resolution for AWS service endpoints |
For AWS-managed services (S3, DynamoDB, API Gateway, etc.), AWS is the provider and you only need to create the interface endpoint in your VPC. For custom services (SaaS, internal microservices), you create an endpoint service backed by an NLB and share it with consumer VPCs.
PrivateLink does not require VPC Peering, no VPC CIDR overlap issues, and no route table configuration beyond the ENI itself. This makes it the preferred way to expose services across accounts where CIDR conflicts could make peering impossible.
Interface Endpoints vs Gateway Endpoints
| Feature | Interface Endpoint (PrivateLink) | Gateway Endpoint |
|---|---|---|
| Supported services | Most AWS services + custom services | S3 and DynamoDB only |
| Implementation | ENI in your subnet with private IP | Entry in route table pointing to endpoint |
| Private DNS | Yes; overrides public DNS for the service | No; must use endpoint-specific URL or policy |
| Cost | $0.01/hr per AZ + $0.01/GB | Free |
| Connectivity from on-premises | Yes (via VPN or Direct Connect) | No (route table only; no routing from on-prem) |
| Cross-region | No (must create per-region) | No |
| Security controls | Security groups + endpoint policy | Endpoint policy only |
| Availability | Requires subnet in AZ | Regional; no subnet needed |
Gateway Endpoints for S3 are free and you should always enable them. However, they only work within the VPC - traffic from on-premises (via VPN or Direct Connect) cannot use Gateway Endpoints. For on-premises-to-S3 private access, you need an Interface Endpoint for S3.
Common PrivateLink Patterns
PrivateLink solves several recurring connectivity problems in enterprise AWS architectures.
| Pattern | Problem Solved | PrivateLink Role |
|---|---|---|
| SaaS access | SaaS provider needs to expose service without VPC Peering | Provider creates Endpoint Service; consumer creates Interface Endpoint |
| Cross-account service sharing | Share internal service (auth, payments) with other accounts | Create endpoint service backed by NLB; whitelist consumer accounts |
| Private S3 access from on-premises | On-prem servers need S3 without going via internet | Interface endpoint for S3; route via Direct Connect or VPN |
| AWS service access (no NAT) | Private subnet Lambda needs to call SSM/Secrets Manager | Interface endpoints for each service; no NAT Gateway needed |
| Private API Gateway | Internal API only accessible within VPC | Private API Gateway backed by VPC Endpoint; resource policy restricts access |
# Create an interface endpoint for Secrets Manager
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxxx \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.us-east-1.secretsmanager \
--subnet-ids subnet-aaa subnet-bbb \
--security-group-ids sg-xxxx \
--private-dns-enabled
# Create an endpoint service (provider side) backed by NLB
aws ec2 create-vpc-endpoint-service-configuration \
--network-load-balancer-arns arn:aws:elasticloadbalancing:us-east-1:123:loadbalancer/net/my-nlb/abc \
--acceptance-requiredPrivateLink Pricing
| Component | Cost | Optimization |
|---|---|---|
| Interface endpoint per AZ | $0.01/hr (~$7.20/month) | Create in 2 AZs minimum for HA; 3 AZs ideal |
| Data processed | $0.01/GB | Free for inbound to endpoint; outbound from endpoint charged |
| Gateway endpoint (S3/DynamoDB) | Free | Always use; no reason not to |
| Endpoint service | $0.01/hr per AZ where available | Charged to the endpoint service owner (provider) |
If a Lambda function in a private subnet needs to call multiple AWS services (SSM, Secrets Manager, KMS, ECR), creating an interface endpoint for each adds up. Compare the total endpoint cost ($7.20/month each) against the NAT Gateway cost ($32/month minimum + data) for your traffic volume.
Interview Focus Points
- 1What is the difference between PrivateLink, VPC Peering, and Transit Gateway? When do you use each?
- 2Explain the difference between an Interface VPC Endpoint and a Gateway VPC Endpoint.
- 3How would you allow on-premises servers to access S3 privately without going through the internet?
- 4How does an Endpoint Service work? Walk through the setup from provider to consumer.
- 5Why might you use PrivateLink instead of VPC Peering even when CIDR blocks don't overlap?
- 6How do you secure an Interface VPC Endpoint? What controls are available?
- 7Explain how private DNS for VPC Endpoints works and what "Enable Private DNS Name" does.
- 8When does creating multiple interface endpoints become more expensive than a NAT Gateway?