- 최신
- 최다 투표
- 가장 많은 댓글
Depending on the application there is a way to do this using Site-to-Site VPN and PrivateLink. For this example where there is something on a remote network that you need to connect to you could do this:
EC2 (VPC A) -> PrivateLink Endpoint (VPC A) -> NLB (VPC B) -> VPN -> Remote network -> Remote application
This only allows connections from VPC A to the remote network/application and not the other way. Traffic is still bidirectional but the initiation of each flow/session has to come from VPC A. VPCs A and B, the NLB and the VPN can still be owned by you; with the remote VPN end controlled by the partner.
This works well if you're calling an API endpoint or basically anything that is TCP-based and uses a single TCP session for transport and where the remote application has a stable IP address. If the IP address changes then you need to update the NLB target group. So it's good for databases, web servers, that sort of thing.
This is not suitable for UDP-based applications (as PrivateLink doesn't support UDP); nore for what I would call "complex" applications where there are many TCP ports. It can be made to work in some circumstances but not all.
AWS Site-to-Site VPN is generally meant for situations where you control both ends of the VPN tunnel, such as connecting your own on-premises network to your AWS VPC. It typically establishes bidirectional communication, so it’s not well-suited for scenarios where you only want one-way access—where you can connect to a partner’s application but they can’t access your network.
For your situation, where you need to securely connect to a partner's network while preventing them from accessing yours, AWS PrivateLink might be a better fit. It allows you to access services in another VPC privately without exposing your network. Alternatively, if the partner’s network is also on AWS, VPC Peering could work, but it requires careful setup to manage traffic flow. Another option is using API Gateway for application-level access if that fits your needs.
Other AWS Services aren't typically an option because the partners are not in AWS unfortunately. If they were, we'd most likely end up using PrivateLink
Can you elaborate a little bit so I can understand. Are you saying that because the VPN terminates on our side in
VPC Band the rest of our infrastructure is inVPC Aand since they old connection betweenVPC AandVPC Bis via theNLBwhich is unidirectional, then we do not need to worry about the lack of unidirectional support on the VPN?Bear in mind that it is NLB in VPC A and a PrivateLink endpoint between the two VPCs. PrivateLink only allows for connections to be established in one direction (in this case from VPC B to the NLB in VPC A). The traffic flow is bidirectional because it has to be (otherwise you'd never get data back to the client that initiated the session). Where the VPN is terminated is not relevant; you could have EC2 instances in VPC B and it would work the same - but it also happens to work with clients at the "far end" of the VPN from VPC B. The other tricks here is that PrivateLink deals with overlapping IP addresses too - so you don't have to worry if VPC A is the same IP range as VPC B, the VPN or anything connected to the VPN.