Skip to main content

Amazon PrivateLink

  • Home
  • Amazon PrivateLink

Amazon PrivateLink

Access services hosted on Amazon Web Services easily and securely by keeping your network traffic within the Amazon Web Services network

Get started with Amazon PrivateLink

Overview

Amazon PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. Amazon PrivateLink provides private connectivity between VPCs, Amazon Web Services’ services, and on-premises applications, securely on the Amazon Web Services service network. Amazon PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

Interface VPC endpoints, powered by Amazon PrivateLink, connect you to services hosted by APN Partners and supported solutions available in Marketplace. By powering Gateway Load Balancer endpoints, Amazon PrivateLink brings the same level of security and performance to your virtual network appliances or custom traffic inspection logic.

Benefits

Secure your traffic

Connect your VPCs to services in Amazon Web Services in a secure and scalable manner with Amazon PrivateLink. Amazon PrivateLink traffic doesn't traverse the Internet, reducing the exposure to threat vectors such as brute force and distributed denial-of-service attacks. Use private IP connectivity and security groups so that your services function as though they were hosted directly on your private network.

Simplify network management

Significantly simplify your internal network architecture with Amazon PrivateLink. Connect services across different accounts, and VPCs within your own organization, with no need for firewall rules, path definitions, or route tables. There is no longer a need to configure an Internet gateway or a VPC peering connection.

Accelerate your cloud migration

More easily migrate traditional on-premises applications to SaaS offerings hosted in the cloud with Amazon PrivateLink. Since your data does not get exposed to the Internet where it can be compromised, you can migrate and use more cloud services with the confidence that your traffic remains secure and compliant with regulations. You no longer have to choose between using a service and exposing your critical data to the Internet.

Use cases

Securely access SaaS applications

SaaS providers are collecting data from their enterprise customers and using the data for log analysis, security scans, or performance management. SaaS providers will install agents or clients in their customers' VPCs to generate and send data back to the provider. When using SaaS applications, customers have to choose between allowing Internet access from their VPC, which puts the VPC resources at risk, and not using these applications at all. With Amazon PrivateLink, you can connect your VPCs to Amazon Web Services services and SaaS applications in a secure and scalable manner.

Maintain regulatory compliance

Preventing personally identifiable information (PII) from traversing the Internet helps maintain compliance with applicable regulations. With Amazon PrivateLink you can confidentially share PII by connecting your Amazon Web Services resources with Amazon Web Services services or VPCs from third-party organizations. PII traffic between VPCs and Amazon Web Services services doesn’t traverse the Internet where it could become compromised. You can share your data offline over Amazon PrivateLink and continue to enforce your regulatory compliance.

Migrate to hybrid cloud

Easily migrate services from on-premises locations to the Amazon Web Services cloud. On-premises applications can connect to service endpoints in Amazon VPC over Amazon Direct Connect. Service endpoints will direct the traffic to Amazon Web Services services over Amazon PrivateLink, while keeping the network traffic within the Amazon Web Services network. Amazon PrivateLink enables SaaS providers to offer services that will look and feel like they are hosted directly on a private network. These services are securely accessible both from the cloud and from premises via Amazon Direct Connect, in a highly available and scalable manner.

How it works

Amazon PrivateLink enables you to securely connect your VPCs to supported Amazon Web Services services: to your own services on Amazon Web Services, to services hosted by other Amazon Web Services accounts, and to third-party services. Since traffic between your VPC and any one of these services does not leave the Amazon Web Services service network, an Internet gateway, NAT device, public IP address, or VPN connection is no longer needed to communicate with the service.

To use Amazon PrivateLink, create an interface VPC endpoint for a service in your VPC. This creates an Elastic Network Interface (ENI) in your subnet with a private IP address that serves as an entry point for traffic destined to the service. Service endpoints available over Amazon PrivateLink will appear as ENIs with private IPs in your VPCs.

To learn more about how PrivateLink works, read the PrivateLink documentation.