1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
A VPC Endpoint can't access a service in a different region, so TGW is your best bet to establish cross-region connectivity between VPCs, allowing access to a VPC Endpoint in the same region as the service. VPC Peering is possible too but your plan to use TGW is much better in most cases.
Thanks skinsman. How about same region but different account?
Yes, sharing a VPC endpoint across VPCs in different accounts works well. You just need network connectivity plus sharing of the PHZ to multiple VPCs. This article https://www.linkedin.com/pulse/how-share-interface-vpc-endpoints-across-aws-accounts-steve-kinsman/ goes through the process. It's talking specifically about VPC endpoints used for AWS services but applies equally to PrivateLink services.
Thanks Skinsman. I pressed on with my build and it's working now, with a fair amount of handshaking and multiple CDK stacks in my app. I ended up using CDK (including Cfn bits), CLI and bash. No SDK (custom resources) this time! I stuck with a multi-region, single-account solution for now, using TGWs. When I move to multi-account (and if I'm just sharing within the same region), should I share VPCe's or TGWs (I only have VPCe's in my VPC's)? I need to go lie down now :-). I'll read your article later - thanks!
No problem, glad it helped. When you go multi-account use your existing TGWs to hook up VPCs across accounts. You can put VPCe's in each account or share them via PHZs, it's up to you. The latter saves money but is a bit more fiddly to set up.