- Newest
- Most votes
- Most comments
Hello,
your question is not clear related by the Type of Service, if this endpoint will be publishing AWS Services or for your Own Service.
In general, Since you will allow the third parties to create an Interface Endpoint in their account for your services, it will not be applicable to force them with a Security group on the Implemented interface in their accounts. Although you can still Enforce inbound rules for PrivateLink traffic in NLB settings but consider that there can be CIDR overlap which can make security groups more complex in operation,
Also you can check the below options also available for the provider.
1- You can control who can request your Endpoint Service, So you have to give them approval before they can start. https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests
2- if This Service is using AWS Services, so you can use Service Policy.
3- You can also enable proxy protocol on the load balancer, you can obtain the addresses of the service consumers and the IDs of the interface endpoints from the proxy protocol header, that will gives your application more visibility. your applications here need to have extra configurations to process the data provided by the proxy header to allow or deny the respond.
3- you can Still inspect the Traffic by Intra-VPC Inspection with AWS Network Firewall, that can provide you inspection layer between the NLB and EC2 Instances. (Source IP will always be the Internal IP of the NLB but you can still inspect the Packet Content.) https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/inspection-deployment-models-with-AWS-network-firewall-ra.pdf
Hello.
I'm in the process of enabling third-party access to certain services through PrivateLink. Regarding security considerations:
When you say a specific service, do you mean an AWS service (such as S3)?
Or do you mean an application you created hosted on AWS?
What measures can I implement to safeguard my EC2 instances against incoming traffic from third parties?
I think it can basically be controlled with security groups.
If you publish a custom application with PrivateLink, you can enable Enforce inbound rules for PrivateLink traffic in NLB settings to control IP addresses in third-party VPCs using NLB security group inbound rules.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-security-groups.html#update-security-settings
Is there a way to enforce an Endpoint Policy on the third-party accounts to restrict the traffic to specific source addresses, for instance, to impose limitations based on the source address of incoming requests?“
You cannot set VPC endpoint policies when using PrivateLink to publish custom applications using NLB.
VPC endpoint policies can only be used when using VPC endpoints to access AWS services such as S3 and Systems Manager.
Therefore, I think it is a good idea to restrict IP addresses using security groups.
Relevant content
- asked 3 months ago
- asked 9 months ago
- asked a year ago
AWS OFFICIALUpdated 19 days ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
