By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is AWS PrivateLink interface VPC endpoint?

0

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third-party SaaS application also runs on AWS inside a VPC. The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company’s VPC. All permissions must conform to the principles of least privilege.

Which solution meets these requirements?

A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.

B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.

C. Create a VPC peering connection between the third-party SaaS application and the company VPUpdate route tables by adding the needed routes for the peering connection.

D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider

Correct Answer is A.

Kindly help me understand why B is not a viable option here.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliveryAWS PrivateLinkSecuritySecurity Group
Language
English
meallhour
asked 10 months ago373 views
5 Answers
1

This Private Link concepts guide explains why Option A is the answer: https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html

Summary: Use AWS PrivateLink to allow the resources in your VPC to connect to services in other VPCs using private IP addresses, as if those services were hosted directly in your VPC.

AWS
Wilf_Grainger
answered 10 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 10 months ago
0

Sometimes there can be a 2nd viable answer but one is still clearly better. In this case you want to connect with a 3rd party so linking your networks is not a good idea even if it's technically possible and you can limit access to a certain degree with ACLs. Also "does not traverse the internet" excludes option B.

EXPERT
skinsman
answered 10 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 10 months ago
0

The 3rd party SaaS runs within a VPC. A site to site vpn is exactly that. It’s to encrypt traffic between 2 sites.

To keep all traffic within a VPC and not to traverse the internet via an IGW then private link it’s the only option. This ensures AWS servers are accessible via a private address space/network

profile picture
EXPERT
Gary Mclean
answered 10 months ago
0

Because VPN, thought encrypted, goes over the internet and encounters many hops, which cause higher latency.

Private link is internal backbone which never travers the internet, has far less hops, and is secure.

profile picture
EXPERT
Antonio_Lagrotteria
answered 10 months ago
0

I would say for two reasons:

  • option B doesn't comply with the requirement of traffic not to traverse the internet.
  • on top, VPN lacks the possibility to specify an endpoint policy so I see no way to apply the principles of least privilege with option B.
Gert Leenders
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content