What are the benefits of using Redshift Managed VPC Endpoints vs. VPC Peering?

Question

Hi,

If I want to connect a Quicksight instance in Account A, to a private Redshift cluster (i.e. located in a private VPC subnet) in Account B, what reasons would I have to use a (more expensive from the looks of it) Redshift Managed VPC Endpoint to provide this cross-account, cross-VPC connectivity, over using VPC peering? Is this simply a case of "less management overhead", or is there a technical reason why VPC peering would not be suitable in this case?

Answer

VPC peering connects two networks together and allows arbitrary routing between them. Once peered, you can configure routes, security groups, and ACLs to let nodes on either network communicate over the peering connection.

Redshift VPC Endpoints use [PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html) to allow one VPC to access resources in another VPC *as if they are local to the same VPC*. It is different than the peering concept of connecting two networks together. Instead, the services on the caller side can access resources (in this case, Redshift) on the endpoint side, but not vice versa; nothing in the endpoint network can connect to the caller.

Endpoints are a fundamentally stronger security model because you don't need to use routes, security groups, and ACLs to configure access. Endpoints also involve less configuration.

From a cost standpoint, VPC peering is cheaper. You're charged [$0.01/GB in both directions](https://aws.amazon.com/ec2/pricing/on-demand/) when the traffic is cross-AZ. Traffic over a peering connection within the same AZ is free. With endpoints, you're charged an hourly rate for each VPC endpoint, plus $0.01/GB in both directions *plus the same cross-AZ data transfer rates*.

What are the benefits of using Redshift Managed VPC Endpoints vs. VPC Peering?

관련 콘텐츠