From a securty perspective, what benefit we can get from the PrivateLink?

Hi,

VPC Endpoints and PrivatLink is two different concepts.

VPC Endpoints you can use to access AWS services without leaving VPC. Here is some docs.

PrivatLinks you can use to provide access to your internal VPC services (your app for example) to the external AWS consumers (different VPC/account)

From here:

Q: How secure is an AWS PrivateLink connection?

A: The security of AWS PrivateLink relies on three factors: the path, the policies, and mode of communication.

The path between a VPC endpoint and an AWS or AWS-based service stays within AWS and does not traverse the Internet. It therefore remains out of reach of Internet breaches.

When you are using VPC endpoints with AWS services, you can also create endpoint policies, which restrict access to requests that come from the VPC or the VPC endpoint.

PrivateLink does not provide any encryption by default for data in transit. The service consumer always initiates the service (it is a one-way service), and that the service provider only provides service to allowlisted customers.

I'm going to disagree slightly with the other answer here: PrivateLink is closely related to AWS service VPC Interface endpoints - the difference is that it is AWS offering the endpoint rather than you creating your own endpoint service and offering it to other VPCs and accounts.

There are a few advantages of using a VPC endpoint for an AWS service instead of using an Internet Gateway (and NAT Gateway if required):

• The service endpoint only allows access to that service. Having an Internet Gateway in your VPC means that workloads could access other publicly hosted endpoints and services - which can be on AWS or on the rest of the internet. So using the endpoint means that you don't have to try and filter that traffic if you needed to restrict access.
• You can apply endpoint policies to the endpoint which gives you greater control over what your workloads can do with that service.