What's the recommended way to use PrivateLink with a PaaS backend which only provides FQDNs?

Question

I would like to create a connection between a lot of AWS Lambda services and AWS ElastiCache (EC) service using the PrivateLink (PL) approach.

We are working in multi-account environment and EC consumers are isolated into a lot of accounts.
According to the AWS documentation each VPC requires at least one VPC Interface Endpoint at service consumer side and VPC Endpoint Service at service provider side. Also according to the documentation this could only be done using private facing ELB, which Target Group expects the IPs or instances IDs as targets and not the FQDNs that are provided by AWS EC (write and read FQDNs).

The question is -- what is the recommended way to create a multi-account connectivity using the PL within such environment?

NOTE: I've already saw several posts like https://aws.amazon.com/blogs/networking-and-content-delivery/hostname-as-target-for-network-load-balancers/ and don't like an idea of some additional moving part responsible for TargetGroup update. Is that the only solution?

Answer

TL;DR: Contact your local AWS Solutions Architect for an in-depth discussion of alternative solutions.

Tricky question because there's no **easy** way to solve this.

In an ideal world you'd just put a NLB in front of the ElastiCache cluster; point PrivateLink at it and away you go. But it isn't that easy.

One way to solve this would be to deploy Lambda functions to each account; and have them independently call the clusters. Probably raises more problems than it solves: Lambda deployment; cross-account access; sync/async calls; all sorts of things.

In the end, you may find the solution that you've linked to is the way to go; but it also (as you know) has drawbacks.

Definitely an opportunity to chat to your local AWS team and find a "good" way of doing this.

What's the recommended way to use PrivateLink with a PaaS backend which only provides FQDNs?

Relevant content