By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Private Link cross region cross account support

0

Hi, we are trying to implement private link with cross region and cross account solution, however we are not able to get if it is supported by aws or not.

Could you please confirm the same . Thanks

Topics
Networking & Content Delivery
Tags
Amazon VPCAWS PrivateLink
Language
English
rePost-User-4582964
asked 2 years ago2906 views
2 Answers
0

Hello,

Endpoint services are available in the AWS Region in which they are created and can be accessed in remote AWS Regions using Inter-Region VPC Peering.

The flow would look like this:

Consumer VPC (Region A) ---PrivateLink---> NLB in Provider VPC (Region A) <---Inter-Region VPC Peering---> Endpoints in Provider VPC (Region B)

See the 'Inter-Region Endpoint Services' pattern - https://d1.awsstatic.com/whitepapers/aws-privatelink.pdf

Also see this: https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
  • rePost-User-4582964
    2 years ago

    So if I have an Account A (region -A ) and I have account B (region B) then this will not work?

    I was able to create Account A (region -A ) and I have account B (region A) and private link works fine.

  • Tushar_J EXPERT
    2 years ago

    Hi, That should work also (see this - https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/peer-with-vpc-in-another-account.html) If you found the answer useful please accept the answer. Thank you.

  • Dejan
    a year ago

    Tushar_J can you elaborate a bit more? I have a similar use-case, where I have (eu-central-1) API Gateway w/ mTLS --> NLB --> ALB --> ECS

    I want to have something like: (ap-south-1) API Gateway w/ mTLS --> NLB --> PrivateLink --> (eu-central-1)ALB -- ECS

    This is for the same account, but different regions. I am struggling with this for a while, and I tried different combinations that don't work. I tried VPC peering, tried VPC endpoints, but I am missing something. I either cannot connect to a service, or cannot create the target. Ideally it would be (ap-south-1) API Gateway w/ mTLS --> PrivateLink --> (eu-central-1) NLB --> ALB --> ECS and continue the flow there, but that's not working. Either the VPC Link cannot be created, or the target does not exist in the region..

0

Hello, it is possible via let's name it shared VPC, where VPC Endpoint (from AWS service or from PrivateLink) is deployed.

Let's presume you have a bucket to share in region A to region B and region C. All 3 VPC (region A,B,C) are connected via TGW.

In nutshell you need to create an VPC endpoint in VPC Region A , and have your VPCs in other regions be capable to resolve this endpoint with the private IP address in VPC Region A, so your TGW will route your requests to this endpoint in VPC Region A from others.

To do it:

  1. Create a VPC endpoint in VPC in region A and disable private DNS for it.
  2. Create Route 53 PHZ in same VPC in region A and create an alias record that will point to the VPC endpoint (for example s3.us-east-1.amazonaws.com -> to the vpc-endpoint.name).
  3. Associate this Route53 PHZ with VPCs in region B and region C.

Described here: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-access-to-vpc-private-endpoints.html

https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-aws-transit-gateway-with-aws-privatelink-and-amazon-route-53-resolver/

alianinho
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content