Will Cognito support PrivateLink ?

6

Hi,

We are currently reaching Cognito from a private subnet. As everyone, I think, in this situation, we have a NAT Gateway to be able to.

Is there any chance to have, in the future, a VPC Endpoint for Cognito instead ?

Hope this won't get lost.

Thank you.

Dylan.

kdylan
asked 10 months ago2488 views
5 Answers
6

I'd like to lend my support for the OP's position - it would be very useful for me if Cognito supported PrivateLink. Here's my response to some of the specific points made here:

  1. You write "All products that follow SAML specifications require the browser client to be able to reach both the IDP and SP." You also write: "As a SAS (software as a service) product, Cognito requires public access for its endpoints. " I think it's worth clarifying that the OP is asking for Cognito to be available via PrivateLink in addition to being available via public internet. This is the same for all other AWS services that support PrivateLink. For example, S3 is available via both public internet or via PrivateLink.

  2. "Customers like you would be interested in keeping communication within the AWS network and removing reliance on NAT gateways, NAT instances, or Internet gateways, but this use-case is so narrow that it has not gained traction with Cognito product managers so far." I would recommend the Cognito product managers to do some investigation into this issue. If you Google for "AWS Cognito without NAT gateway" you will find a large number of queries.

My motivation for wanting this (and which is reflected in a lot of the posts I see) is that I have e.g. an ECS task running in a private subnet which is currently able to do everything that it needs to do via VPC endpoints and without incurring the potentially very high costs of a NAT gateway. So the situation is that the only reason I would need to add a NAT gateway is to allow integration with Cognito. With NAT gateways in two availability zones, costing around $35 x 2 = $70 dollars per month minimum, with additional costs for data transfer, this means that Cognito, which presents itself as having a very attractive free tier as well as attractive scale pricing, in fact costs a minimum of $70 per month, which is prohibitive for many startups. I feel sure the Cognito product managers would be interested to know that their customers are aware that, in reality, there is no free tier on Cognito and that the real world pricing starts at ~ $70 per month, even for a small handful of users, even for a small start up use case.

answered 8 months ago
2

Same opinion as Geoffrey. Please make this happen. For everyone reading this, please write a comment, if you agree. Thanks!

answered 5 months ago
1

Hi Dylan, Cognito, as stated by you, does not support VPC endpoints, similar to CloudFront. All products that follow SAML specifications require the browser client to be able to reach both the IDP and SP, and since is likely that one of these components will not be located at the same location as the other, some sort of connectivity (normally internet) is required.

As a SAS (software as a service) product, Cognito requires public access for its endpoints. Customers like you would be interested in keeping communication within the AWS network and removing reliance on NAT gateways, NAT instances, or Internet gateways, but this use-case is so narrow that it has not gained traction with Cognito product managers so far, and I am inclined to believe that it never will. Of course, the latter is my personal opinion as I am not involved with Cognito development.

profile pictureAWS
EXPERT
answered 10 months ago
0

There are different scenarios where Oauth2 is useful. Eduardo's answer highlights the one using a browser and I believe it's a fair assumption to say most browsers will have internet access. However, Oauth2 has one flow for Machine-2-machine using Client Credentials. If my server is in a VPC without a Nat (or equivalent) then, it is not possible to generate an access token with the current Cognito design. That's pretty hard to explain to a security officer that the service which manages authentication requires to add outbound access to internet.

I believe the request is not to make Cognito private but to be able to reach Cognito from a VPC that doesn't have an outbound access to internet. So +1.

Alex
answered 2 months ago
0

Hello everyone,

We are in the same situation as Geoffrey Ferrari.

Our current infrastructure consists of a public ALB and a private ECS where the backend is deployed. The backend needs to communicate with Cognito to generate tokens for the users. Given that there isn't a VPC endpoint for connecting privately with Cognito we need to deploy a NAT gateway, so that our backend can communicate with it.

We will definitely need a VPC endpoint for Cognito. +1

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions