AWS PrivateLink Guide
Interface endpoints and private connectivity.
AWS PrivateLink: Private Connectivity Guide
AWS PrivateLink enables you to access AWS services and third-party applications privately through your VPC, without traversing the public internet. This eliminates the need for NAT gateways, internet gateways, or VPN connections for service access — reducing cost and improving security.
How PrivateLink Works
PrivateLink creates an Elastic Network Interface (ENI) in your VPC subnet with a private IP address. Traffic to the service flows through this ENI over the AWS backbone network — never touching the internet.
Interface VPC Endpoints
Access AWS services privately:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxx \
--service-name com.amazonaws.us-east-1.secretsmanager \
--vpc-endpoint-type Interface \
--subnet-ids subnet-xxx subnet-yyy \
--security-group-ids sg-xxx \
--private-dns-enabledWith --private-dns-enabled, the service's public DNS name resolves to the private endpoint IP. Your application code doesn't need any changes.
Gateway Endpoints (S3 and DynamoDB)
Gateway endpoints are free and route traffic through route table entries:
aws ec2 create-vpc-endpoint \
--vpc-id vpc-xxx \
--service-name com.amazonaws.us-east-1.s3 \
--vpc-endpoint-type Gateway \
--route-table-ids rtb-xxx rtb-yyyCost savings: Gateway endpoints eliminate NAT Gateway data processing charges ($0.045/GB) for S3 and DynamoDB traffic. For a workload processing 10TB/month through NAT, this saves $450/month.
Common Endpoints to Deploy
| Service | Type | Why |
|---|---|---|
| S3 | Gateway | Free; eliminates NAT costs for S3 traffic |
| DynamoDB | Gateway | Free; eliminates NAT costs |
| ECR (API + Docker) | Interface | Pull container images without NAT |
| CloudWatch Logs | Interface | Send logs without internet access |
| Secrets Manager | Interface | Retrieve secrets privately |
| STS | Interface | IAM role assumption without internet |
| SSM | Interface | Systems Manager access for private instances |
Exposing Your Own Services
Create a PrivateLink service backed by a Network Load Balancer:
# Create endpoint service
aws ec2 create-vpc-endpoint-service-configuration \
--network-load-balancer-arns arn:aws:elasticloadbalancing:...:loadbalancer/net/my-nlb/xxx \
--acceptance-requiredOther AWS accounts can then create interface endpoints to your service, establishing private connectivity without VPC peering or Transit Gateway.
Security
- Security Groups — Apply Security Groups to interface endpoints to control which resources can access the service
- Endpoint Policies — Restrict which AWS resources the endpoint can access (e.g., limit S3 endpoint to specific buckets)
- No public exposure — Services behind PrivateLink are not accessible from the internet
# Endpoint policy limiting S3 access to specific bucket
{
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}]
}Eazy SaaS Tip: We deploy S3 and DynamoDB gateway endpoints in every VPC as standard practice — they're free and immediately reduce NAT Gateway costs. For EKS clusters, we add ECR, CloudWatch, and STS interface endpoints to eliminate internet dependency entirely.