Available private and public access methods for custom services (forexample, PrivateLink, VPC peering)

Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.

📘AWS Certified Advanced Networking – Specialty

1. Overview of Access Methods for Custom Services

When you run custom services in AWS (like your own application or API), other applications need a way to access them. There are two main ways:

  1. Private access – keeps traffic inside AWS network, secure and not exposed to the public internet.
  2. Public access – allows access over the internet using public IP addresses.

Choosing the right method is important for security, performance, and cost.

2. Private Access Methods

Private access keeps all communication inside AWS, so it is more secure and avoids exposure to the public internet. Two main options are:

A. AWS PrivateLink

  • What it is: PrivateLink allows you to access services privately across VPCs without using public IPs or going through the internet.
  • How it works:
    • You host your service in a VPC (service provider VPC).
    • You create a VPC Endpoint (interface endpoint) in the consumer VPC.
    • Traffic flows entirely within AWS network via a private IP.
  • Key features:
    • Supports services across AWS accounts or VPCs.
    • Works for custom services and AWS services.
    • No exposure to the internet.
  • Use case example (IT environment):
    • You have a database service in one VPC and want a web application in another VPC to access it securely without going through the public internet.
  • Pros:
    • Secure and private.
    • No need for VPN or public IPs.
    • Simple to scale across multiple accounts.
  • Cons:
    • Slight extra cost for endpoint usage.
    • Limited to TCP protocols.

B. VPC Peering

  • What it is: VPC Peering allows direct private connectivity between two VPCs, even if they are in different AWS accounts.
  • How it works:
    • Establish a peering connection between two VPCs.
    • Update route tables so traffic can flow directly.
    • Each VPC keeps its own IP range.
  • Key features:
    • Fully private, no internet required.
    • Works within a region or across regions.
    • Traffic flows as if the VPCs are part of the same network.
  • Use case example:
    • A frontend VPC needs to connect to a backend service in another VPC securely.
  • Pros:
    • High performance, low latency.
    • No extra endpoint costs.
  • Cons:
    • Cannot have overlapping IP ranges.
    • Managing many peering connections gets complicated in large architectures.
    • No transitive routing (cannot route through one VPC to reach another).

3. Public Access Methods

Public access exposes your service over the internet. This is generally less secure, but sometimes necessary.

A. Public IP / Elastic IP Access

  • Assign a public IP or Elastic IP to your service (e.g., EC2, load balancer).
  • Clients access the service via internet routes.
  • Pros:
    • Easy setup.
    • Can access services from anywhere globally.
  • Cons:
    • Exposed to security risks unless properly protected (firewalls, security groups, WAF).
    • Internet latency may affect performance.

B. API Gateway Public Endpoints

  • If your service is API-based, you can expose it via API Gateway with a public endpoint.
  • Can integrate with IAM, Cognito, or API keys for security.
  • Useful for external customers or multi-tenant SaaS solutions.

4. Choosing Between Private and Public Access

FeaturePrivateLinkVPC PeeringPublic Access
Internet required❌ No❌ No✅ Yes
Secure✅ High✅ High⚠️ Depends on config
Multi-account✅ Yes✅ Yes✅ Yes
Easy to scale✅ Medium⚠️ Low✅ High
Transitive routing❌ No❌ No✅ Yes
CostMediumLowLow

Key exam tip: AWS favors PrivateLink for private, multi-account access and VPC Peering for simple, same-region direct connections. Public access is usually last resort for external clients.

5. Exam Points to Remember

  1. PrivateLink uses interface VPC endpoints and keeps traffic inside AWS network.
  2. VPC Peering is fully private, but requires non-overlapping CIDRs and manual route updates.
  3. Public access requires public IPs and is exposed to the internet; always secure with security groups, NACLs, or WAF.
  4. PrivateLink is better for multi-account architectures, while VPC Peering is simpler for 1:1 VPC connectivity.
  5. Private vs Public is mostly about security, latency, and network design.

6. Quick IT Example Summary

  • Database service in one VPC → Web app in another VPC: PrivateLink
  • Backend and frontend VPC in same AWS account → Direct traffic: VPC Peering
  • External client accesses API → Public internet endpoint: Public IP / API Gateway
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by