Centralized access to VPC private endpoints using VPC Lattice

Connectivity to third party services traditionally requires complex networking components like internet gateways, NAT devices, VPN connections, or Direct Connect. VPC endpoints simplify this by enabling direct private access through elastic network interfaces with private IP addresses. However, deploying individual interface endpoints across multiple VPCs can lead to significant costs and management overhead.

This article explores a solution using centralized VPC endpoints, demonstrating how to leverage AWS VPC Lattice to enable multiple spoke VPCs to access third party services/resources through a single set of endpoints in a central VPC. This approach optimizes operational efficiency while maintaining secure private connectivity.

Architecture Overview

Pre-requisites

• The service provider has configured a VPC endpoint service and granted the necessary permissions for the consumer account to create endpoints. Reference guide
• A centralized shared Virtual Private Cloud (VPC) has been configured, with the endpoint deployment occurring within the consumer's shared VPC.
• A Private Hosted Zone (PHZ) has been configured in the centralized Route53 account, with established associations to the spoke VPCs. Reference guide

Step 1. Copy endpoint DNS Name

• Navigate to VPC > PrivateLink and Lattice > Endpoints in the AWS Management Console.
• Select the previously created consumer endpoint. Record the DNS names associated with the endpoint for future reference.

Step 2. Create Resource gateway

A resource gateway is a point of inbound traffic into the VPC where a resource resides. It spans multiple Availability Zones. A VPC must have a resource gateway if you plan on making resources inside the VPC accessible from other VPCs or accounts.

Navigate to VPC > PrivateLink and Lattice > Resource gateways.

• Gateway Configuration
  • Provide a meaningful resource gateway name.
  • Choose the appropriate IP address type:
    • IPv4
    • IPv6
    • Dual-stack (supports both IPv4 and IPv6)
  • Select the source VPC containing the resources you want to share.
  • Choose the Availability Zones (AZs) for high availability.
  • Select the appropriate subnets within each chosen AZ.
  • Assign security groups to control inbound traffic to your shared resources.

Step 3. Create Resource Configuration

Resource configurations define how your VPC resources are exposed to other VPCs and accounts. They enable private, secure, and unidirectional network connectivity, ensuring controlled access to your resources through an associated resource gateway.

In the AWS Management Console, navigate to VPC > PrivateLink and Lattice > Resource configurations

• Enter a descriptive name for your resource configuration.
• Select 'Resource' as the type for single resource deployment.
• Choose the resource gateway created in the previous step. (Step 2).
• Set the resource type to 'DNS resource'.
• Input the endpoint DNS name (obtained from Step 1).
• Specify the allowed port range for endpoint connections.

Step 4. Establishing Your Lattice Service Network

Amazon VPC Lattice service networks serve as logical containers that group and manage related services and resources. They act as an organizational boundary for your resources, enabling you to control access, monitor traffic, and manage connectivity across your AWS infrastructure. Service networks simplify the process of connecting and managing communications between various services and resources, whether they're in the same account or across different AWS accounts.

In the AWS Management Console, navigate to VPC > PrivateLink and Lattice > Service Networks.

• Select 'Create new Service Network'.
• Provide a meaningful name for your service network.
• Under 'Resource configuration associations', select the resource configuration created in Step 3.

Step 5: Sharing Your Service Network with Spoke Accounts

After associating the resource configuration with your service network, sharing the service network through AWS Resource Access Manager (RAM) becomes essential. This sharing mechanism enables spoke accounts to establish secure cross-account connectivity. Once shared, spoke accounts can associate their VPCs with the service network and gain access to the defined resources within the resource configuration.

• Navigate to AWS Resource Access Manager in the AWS Management Console.
• Select 'Create resource share'.
• Provide a meaningful name for the resource share.
• This name helps identify the shared service network across accounts.
• Under 'Resources', select your VPC Lattice Service Network.

• In next step, add account IDs of spoke accounts. and complete the creation of resource share.

Step 6: Accepting Resource Shares in Spoke Accounts

• Access AWS Resource Access Manager (RAM). in the AWS Management Console in spoke account.
• Select 'Shared with me' in the left navigation pane.
• Choose 'Resource shares' to view pending shares.
• Select 'Accept resource share' to confirm access.

Step 7: Associating Spoke VPCs with Lattice Service Network

In the spoke account AWS Management Console, navigate to VPC > PrivateLink and Lattice > Service Networks.

• Locate and select the shared service network.

• Navigate to the 'VPC Associations' tab.

• Select 'Create associations'.

• Choose the VPC to associate.

• Select appropriate security groups for the VPC.

• Save the configuration.

Step 8: Configuring Private DNS for Lattice Resource configuration

Instead of using the lengthy default Lattice DNS names, we create a custom private DNS entry in Route 53. This simplifies access to your resources by providing a more manageable and memorable DNS name.

• Navigate to VPC > PrivateLink and Lattice > Service Networks
• Select the shared service network.
• Under 'Resource configuration associations'.
• Select the association ID to view the Lattice DNS name.
• Record the DNS name for the next steps.
• Access the Route 53 console in the centralized account.
• Create a DNS record using the Lattice DNS name.
• Configure the record in your private hosted zone with your custom domain name.

Important Notes

• Follow AWS documentation for cross-account VPC associations with private hosted zones.
• Verify DNS resolution from spoke VPCs.
• Maintain documentation of DNS configurations.
• Reference the AWS Route 53 Documentation for detailed VPC association steps.