Browse through the questions and answers listed below or filter and sort to narrow down your results.
Can one customer's AppStream or Workspaces make connections to another customer's account via PrivateLink?
Customer makes a data streaming service available via PrivateLink. Another customer wants to deploy their application on AppStream and utilize that data feed. While I know it is "trivial" to connect to the data stream via PrivateLink on an EC2 instance, I'm not sure if this can be done in AppStream or Workspaces given the shared pool of these services. Can one customer's AppStream or Workspaces make connections to another customer's account via PrivateLink?
How to setup interface VPC endpoints in a multi tier architecture?
Customer want to use an interface VPC endpoint (for Cloudwatch logs specifically). Their main driver is that they want to reduce NAT gateway usage charges. Now they have a VPC with 4-tiers of subnets (Public, Web, App, database). Each tier can access/route to the lower tier only. What is the best practice to set this up from a cost/security perspective?. They currently don't use Transit Gateway or a multi-VPC/account architecture 1. 4 interface endpoints per network tier? 2. Create a new tier (lets say vpc endpoint tier) and centralize the VPC endpoint there? 3. Something else?
Creating AWS PrivateLink connections using AWS CloudFormation
I'm setting up infrastructure with CloudFormation including a VPC with subnets and an interface VPC endpoint. The endpoint is meant to be deployed using the subnets created as part of the stack but when I start the deployment I get the following error: The VPC endpoint service X does not support the availability zone of the subnet: subnet-Y The endpoint service is deployed in subnets in the following AZs: - us-east-1a (use1-az1) - us-east-1b (use1-az2) - us-east-1c (use1-az4) And the VPC in which I'm testing the CloudFormation stack have the subnets in the following AZs: - us-east-1a (use1-az2) - us-east-1b (use1-az4) - us-east-1c (use1-az6) The only matching are use1-az2 and use1-az4. I would like to know if there's a way to automatically lookup the supported AZs by the service and match them with my subnets' AZs. The idea is to create 4 different environments with the same setup (VPC subnets, endpoint) so as to avoid hard coding the values.
Best way to manage access to a VPC Endpoint
A customer has a need for Cloudwatch Logs in a private VPC, but they want to restrict access to this endpoint for authorized hosts only, to prevent accidental confidential information to leak out of the VPC. What's the best way to accomplish this? a.Instance role: Control access to the VPCe via an Instance Role IAM policy b. VPC Endpoint policy: Can we add ec2-based restrictions to a VPCe policy? c. VPC Endpoint security group: Selectively allow only authorized IP addresses I would have a preference for an Instance Role solution, because then we can manage access at the logical EC2 level, regardless of assigned IP address. Are there best practices or better ways to accomplish this goal?
Disabling access to non AWS services via VPC endpoints
Is there a way we can prevent creation of VPC Endpoints in AWS PrivateLink for non AWS Services?. Customer looking to whitelist PrivateLink and want to make sure that no one can connect to non AWS services using PrivateLink. The condition key in the IAM policy [ec2:VpceServiceName](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-iam.html) should work but wouldn't that prevent even the Admin to create any endpoint for non AWS Services?.
How do I confirm interface VPC endpoint usage?
How can we validate or confirm that AWS PrivateLink is actually being used? I have an AWS Lambda function that sends logs to a third party using AWS PrivateLink and the logs aren't being received. Therefore, I'm not sure if PrivateLink is being used. There's no helpful logging with the function, and the setup is exactly the same across environments. Nothing in CloudTrail shows up, and the VPC Flow Logs show status on the ENIs as "NODATA".
How do I join a MS AD domain and still use SSM in a Private Subnet?
I am trying to set up SSM on Windows. I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints. In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM. The problem comes with the DNS Client Server Address. When I set it to match the address of the AD service SSM will not work. When I leave the DNS Client Server Address default, SSM works but I can not join the AD. I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out. I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case: https://forums.aws.amazon.com/thread.jspa?messageID=919331󠜣 Does anyone know the magic sauce to get these things all working at the same time? Edited by: justinfueltravel on Jul 28, 2020 5:20 AM Fixed incorrect hyperlink
Accessing resources in another VPC using Amazon Route 53 and AWS PrivateLink
I'm trying to access resources (such as an LDAP server) in a VPC in another AWS account. In the second account, an AWS PrivateLink endpoint service is being used to expose the LDAP server. I need to connect to this LDAP server using TLS and I want to create the correct DNS entry. What's the best way to do this?
PrivateLink Matching AZ on Consumer/Provider
In a scenario where the provider application extended via PrivateLink, is hosted in az1 and az2 in a particular region and the consumer only has subnets provisioned in az2 and az3, thus only have a single az2 in common and have the endpoint in it. What can the provider/consumer do to avoid any issues in case of az2 failure?