Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.
📘AWS Certified Advanced Networking – Specialty
In AWS, many organizations need to keep services private—that is, accessible only from within their own AWS network and not exposed to the public Internet. This is critical for security, compliance, and performance. AWS provides two main ways to achieve this:
- AWS PrivateLink
- VPC Peering
Let’s go through each in detail.
1. AWS PrivateLink
What it is:
AWS PrivateLink is a service that connects your VPC (Virtual Private Cloud) to another AWS service or a custom service in another VPC privately, without using the Internet or NAT devices. Essentially, it provides a secure, private endpoint in your VPC.
Key Components:
- Service Provider: The VPC that hosts the service (e.g., a custom API running on EC2 or a managed service).
- Service Consumer: The VPC that wants to access the service.
- VPC Endpoint (Interface Endpoint): The private IP address in the consumer VPC that connects to the service.
How it works:
- The service provider creates a PrivateLink service.
- The consumer creates a VPC Endpoint pointing to that service.
- Traffic flows entirely over AWS’s private network, never touching the public Internet.
Benefits:
- High security: No public IPs or Internet exposure.
- Simplified routing: The service is accessed via its private IP.
- Cross-account access: You can allow other AWS accounts to access your service privately.
Exam Tips:
- PrivateLink is best for connecting services across VPCs or accounts.
- It uses Elastic Network Interfaces (ENIs) in the consumer VPC.
- Each endpoint is region-specific.
Example in IT environment:
- A company runs a private logging service in one VPC. Another VPC in the same AWS region can access the logging service via PrivateLink, using a private IP, without exposing logs to the Internet.
2. VPC Peering
What it is:
VPC Peering connects two VPCs directly so that resources in one VPC can communicate with resources in the other using private IP addresses.
Key Points:
- Works within a region or across regions.
- Communication is private and secure, no public Internet needed.
- You cannot create transitive connections (e.g., VPC A → VPC B → VPC C). Each pair needs its own peering connection.
How it works:
- VPC A sends a peering request to VPC B.
- VPC B accepts the request.
- Both VPCs update their route tables to allow traffic to flow over the peering connection.
Benefits:
- Simple and cost-effective: No additional endpoints required.
- Full private connectivity: Works for EC2, RDS, and other AWS resources with private IPs.
Limitations:
- No transitive peering: You cannot route through one VPC to another via peering.
- Security group rules: Must explicitly allow traffic between VPCs.
Exam Tips:
- VPC Peering is ideal for same-account or trusted cross-account VPCs.
- Make sure route tables and security groups are correctly configured.
- Understand CIDR block overlap: you cannot peer VPCs that have overlapping IP ranges.
Example in IT environment:
- Two teams manage separate VPCs for their applications. They need to share a database privately. A VPC Peering connection allows them to access the database via private IPs.
PrivateLink vs VPC Peering – Key Differences
| Feature | AWS PrivateLink | VPC Peering |
|---|---|---|
| IP Address | Uses ENI private IP in consumer VPC | Uses existing private IPs |
| Use Case | Private access to services | Full VPC-to-VPC connectivity |
| Cross-account Support | Yes | Yes (but manually) |
| Transitive Routing | No | No |
| Managed Service Support | Yes | No |
| Security | Very high, limited exposure | High, but all resources accessible if allowed |
Exam Tip: AWS may ask when to use PrivateLink vs VPC Peering. Remember:
- PrivateLink → service-specific, controlled access
- VPC Peering → full network access between VPCs
Best Practices for Maintaining Private Access
- Use PrivateLink for service sharing: Especially if you want to expose only specific services to other VPCs.
- Use VPC Peering for broader connectivity: When multiple resources across VPCs need to communicate.
- Monitor access: Use VPC Flow Logs to track traffic.
- Secure endpoints: Apply security groups and NACLs to control who can access services.
- Avoid CIDR conflicts: Ensure no overlapping IP ranges for VPC Peering.
Summary for the Exam
- Private access = access without going over the Internet.
- Two main ways:
- AWS PrivateLink: For accessing services privately via endpoints.
- VPC Peering: For full VPC-to-VPC private network connectivity.
- Key considerations: Security, route tables, cross-account access, and region limitations.
Memory tip:
“If you want access to a service, use PrivateLink. If you want access to a whole network, use VPC Peering.”
