AWS PrivateLink, Explained

AWS PrivateLink Explained Blog Graphic

Customers implementing AWS connectivity are presented with a range of choices, including PrivateLink. So when is PrivateLink most suitable? We detail the uses and benefits of this private connectivity method.

When it comes to connecting to AWS, there is no shortage of options available to customers with your main options being Transit Gateway, VPC peering, and—a method we haven’t covered much in our blog—AWS PrivateLink. But under what circumstances is PrivateLink the best choice? What are some examples of how it can be implemented, and what are the benefits? We’re here to answer all of your PrivateLink questions.

What is AWS PrivateLink, exactly?

You probably know about AWS Direct Connect, which is the method used to connect private networks, either from customer premises or data center locations, to AWS, notably to the connecting customer’s VPC environment built within the cloud. PrivateLink is similar, but slightly different, to this popular choice. Unlike Direct Connect, PrivateLink is used as a networking construct inside AWS to privately expose a service/application residing in one VPC (that of a service provider) to other consumer VPCs within an AWS Region.


Want to learn more about Direct Connect? Read our Enterprise Guide.



Benefits of AWS PrivateLink

True to its name, PrivateLink can be considered the most private AWS connectivity method. Thanks to this feature, it boasts a number of benefits:

  • Secure traffic: Network traffic using PrivateLink never traverses the public internet to reduce exposure to a range of cybersecurity threats. The ability to use private IP connectivity also ensures your services function as though they were hosted directly on your private network. Plus, you can associate security groups and attach an endpoint policy to interface endpoints to give you precise control over who can access specified services.
  • Simplified network management: You can connect services across different accounts and Amazon VPCs with no need for firewall rules, path definitions, route tables, or configuration of an internet gateway, VPC peering connection, or VPC CIDR management.
  • Accelerated cloud migration: With your data protected from the internet, you can more easily migrate traditional on-prem applications to SaaS offerings hosted in the cloud with PrivateLink, with the confidence that your traffic will remain secure.
  • Automation capability: By using a Terraform Provider supporting SaaS, such as the one from Databricks, you can automate your infrastructure and configuration management to deploy an even more easy-to-manage, intuitive PrivateLink workspace.

AWS PrivateLink diagram
AWS PrivateLink protects your cloud data by operating inside the AWS system. Source: AWS



How to get started with AWS PrivateLink

When a customer looks to connect to either internal AWS services or third-party SaaS offerings, it can sometimes be difficult to understand the connectivity options when the outcome of the offering is the driving factor – kind of like building a house without first considering the foundation. But thankfully, it’s easy to get started looking at the various offerings you may wish to consume over PrivateLink.

There are a number of inbuilt AWS native services that can be integrated into your VPC environment via PrivateLink. You can find a list of such services here – this will help you know whether PrivateLink can serve the types of connections your enterprise needs to make. It’s also possible to interrogate the region-by-region available service offerings via the VPC endpoint section when logged into your AWS console. For example, at the time of publication, there are 115 AWS inbuilt service offerings made available by service name in the ap-southeast-2 (Sydney) region alone; the Amazon S3 (Simple Storage Service) gateway/interface endpoint can be accessed via an AWS Resource Name (ARN) such as com.amazonaws.ap-southeast-2.s3. Interface endpoints and Gateway Load Balancer endpoints are powered by AWS PrivateLink, and use an elastic network interface (ENI) as an entry point for traffic destined to the service.

To get to the PrivateLink setup screen within AWS, you would head to the AWS “VPC” section and select “Create Endpoint.” This will provide three options. The first is “AWS services” which allows you to see a list of all services available within the region that your VPC is located within, while the second allows you to search by name.



The last option is interesting as it allows you to consume Software as a Service (SaaS) offerings published by other software vendors whilst utilizing the inherent global distribution, load balancing, and other AWS services without the need for SaaS traffic to cross the public Internet between your VPC and the provider. This is a great option if your enterprise is also using Direct Connect, as the SaaS-to-VPC connection can further be extended to your on-prem and data center colocated services. This means it can not only completely bypass unreliable and potentially unsecured internet connections, but can also take advantage of Direct Connect egress cost savings in the process.

To see some examples of what SaaS services are available via PrivateLink you can click here. Some popular examples include Databricks, Snowflake, Dynatrace, and Cisco Secure Cloud Analytics. You may also visit the list of offerings supported by AWS Technology partners to see the most up-to-date offerings available via this method. Look for the ‘AWS PrivateLink Ready Product’ offering in each of the respective listings for a click-to-deploy solution that can work with your Megaport enabled AWS Direct Connect service.

There are many reasons SaaS products may need to interact with a customer’s AWS VPCs. Examples of SaaS products that benefit from some level of cross-account interaction often fall into the categories of logging and monitoring, security, compliance, resource optimization, data analytics, and DevOps workflows. In short, using PrivateLink for SaaS workspaces can help fulfil a major requirement of enterprise governance policies.

AWS PrivateLink and Megaport

As a trusted AWS Technology Partner, Megaport’s Software Defined Network can streamline your AWS PrivateLink connection for faster provisioning, tighter security, and reduced latency. These combinations provide assured traffic paths for the highest visibility of your SaaS workloads, without needing to compromise by submitting a segment of your valuable data to untrusted paths over the public Internet.

By using Megaport as your single interconnection point, you can also connect your AWS instances to other cloud providers with our Megaport Cloud Router (MCR), and achieve branch-to-cloud AWS connectivity with one of our SD-WAN integration partners on Megaport Virtual Edge (MVE).

Stay Updated

Keep up to date on Megaport by following us on social media at:

Twitter: @megaportnetwork
LinkedIn: @megaport
Facebook: @megaportnetworks

Jason Bordujenko
Head of Solutions APAC

Filed under: Blog Partners

Get the latest cloud insights delivered.