Adding a Layer of Security Using AWS PrivateLink
Introduction
Let’s discuss what goes on behind the scene when we create an interface VPC endpoint (powered by AWS PrivateLink) and how using the endpoint to access public facing AWS services helps add another layer of security by keeping the traffic over AWS network.
AWS PrivateLink is a highly available, scalable technology that you can use to privately connect your VPC to services as if they were in your VPC. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the service from your private subnets.
Our goal is to connect to the publicly available CloudWatch service (https://monitoring.us-east-1.amazonaws.com) using AWS CLI from a private instance that lacks internet connectivity.
Test Setup
I’ve created two EC2 instances: one resides in the public subnet, equipped with an Internet gateway, while the other is situated in the private subnet, lacking access to the internet. From the instance in the public subnet, I used SSH to login to the instance in the private subnet.
From the instance in the private subnet, I attempted to execute the following command, but I received no response. This is an expected result as I am trying to communicate over the internet and the private instance does not have access to the internet.
aws cloudwatch list-metrics --namespace AWS/EC2 --region us-east-1Another way to confirm that we are attempting to reach the internet is to resolve the IP address of the CloudWatch service — 52.46.131.137 which is a public IP address address and obviously it is not reachable as there is no internet connectivity.
Now let’s see how we can enable connectivity from the private subnet using VPC endpoint.
When we create a VPC interface endpoint, behind the scene -
0. AWS creates an elastic network interface (ENI) within the selected private subnet.
1. AWS creates Route53 hosted zones to resolve the DNS name of the service (CloudWatch in our case) to the private IP address of the ENI.
2. Now, from the private instance when I resolve monitoring.us-east-1.amazonaws.com, instead of the public IP address I get the private IP address which belongs to the ENI. This is where the magic happens. Please note that — Someone outside the VPC will still get the Public IP address of the CloudWatch service.
3. My private instance now forwards the packets meant for the CloudWatch service to the ENI and from there on it is routed to the service over AWS Network.
Summary
In this post we saw how to keep the traffic over AWS network while trying to access publicly available AWS services. This helps protect agains denial of service, man in the middle attacks as the traffic never leaves AWS network.
