@jialin.huang
FRONT-ENDBACK-ENDNETWORK, HTTPOS, COMPUTERCLOUD, AWS, Docker
To live is to risk it all Otherwise you are just an inert chunk of randomly assembled molecules drifting wherever the Universe blows you

© 2024 jialin00.com

Original content since 2022

back
RSS

Private Channels in AWS Networking

TL;DR

ServicesConnection TypeUse Casebypass internetfit for on-premiseCross Region
Direct ConnectPhysical dedicated lineLarge-scale, stable data transfer suitable for on-premise centers connecting to AWSYes
PrivateLinkPrivate networkSecure private connection to AWS services or VPC services✅ if with Direct Connect or VPN

NO WAY
VPNEncrypted tunnelEconomic, secure network connection (internet-based)NO WAY
VPC PeeringPrivate networkBetween VPCsYes when referring Inter-Region VPC Peering
Transit GatewayPrivate networkmultiple VPCs and on-premise networks
(❌ if on-premise connection needed)
Yes
Global AcceleratorEdge networkNetwork acceleration for global applications✅ 
(❌ before reaching edge location)
Of course
Elastic Network InterfacePrivate networkFlexible network connection between EC2 instancesNO WAY
VPC EndpointPrivate networkAccess AWS services from within VPCNO way

AWS Direct Connect

Non-encrypted high-speed dedicated channel that directly interfaces with AWS services. The key difference lies in the VIF (Virtual Interface) endpoint:

  • Public VIF: public services like S3, dynamoDB
  • Private VIF: go into VPC

Since it's non-encrypted, you can build VPN on top of it.

AWS PrivateLink

A flexible connection solution between two points, unrestricted by VPC or AWS Account limitations. Remember this as a broad functionality:

  • VPC Endpoints overlap with PrivateLink functionality
  • ENIs are integrated with PrivateLink

Use cases:

  • VPC A ---> PrivateLink ---> service in VPC B
  • On-premise ---> Direct Connect/VPN ---> VPC ---> PrivateLink ---> AWS service

AWS VPN

A feature under AWS VPC with two types:

AWS Site-to-Site VPN (IPSec protocol)

  • Path: some networks → VPN → VPC

    Two components:

    • Customer Gateway (CG)
    • Virtual Private Gateway (VPG)

AWS Client VPN (OpenVPN protocol)

  • Path: users → VPN → some network

VPC Peering

Direct connection between two VPCs

Transit Gateway

For connecting to on-premise, works with:

  1. Direct Connect
  1. VPN

Global Accelerator

Think of it as a highway for your network traffic.

Elastic Network Interface (ENI)

Allows multiple network interfaces for EC2 instances within a VPC. The connection type is private network, meaning no internet transit.

Think of an ENI as a tag - other services use this tag to find instances. Each instance can have multiple tags, each with different MAC addresses. When you move a tag to another instance, services follow the tag, not the instance itself.

VPC Endpoint

How to connect to AWS services from within VPC without using the Internet

Interface Endpoint

Connects to AWS services via PrivateLink, except for S3 and DynamoDB.
Essentially an implementation of PrivateLink.

Gateway Endpoint

Direct connection to AWS services, supporting only S3 and DynamoDB for basic communication.

Scenario: Private subnets without Internet Gateway access can still reach S3/DynamoDB through Gateway Endpoint.

Confusions

VPC Endpoint vs. Internet Gateway

Both allow VPC resources to access external resources, but:

  • IGW's "external": Internet
  • VPC Endpoint's "external": Specific AWS services
  • VPC Endpoint uses AWS internal network, not internet

AWS PrivateLink vs. VPC Endpoint

Sound similar as connections?

PrivateLink is the broader concept, VPC Endpoint is an implementation.

VPC Peering vs. Transit Gateway

  • VPC Peering = two VPCs
  • TG = many VPCs + on-premise

VPN v.s. DirectConnect

One for privacy, one for low latency - can be used together.

Direct Connect is a physical dedicated line not using internet, while VPN is internet-based but encrypted.

VPN vs. Proxy

Proxies focus on forwarding traffic - they're just there to relay traffic, not really trying to be sneaky about hiding themselves.

While VPNs are commonly used to appear from different regions, their primary purpose is encryption and privacy.

HTTPS proxy vs. VPN

HTTPS proxy focuses on encryption for HTTPS traffic only, while VPN encrypts all traffic types.

So, if you're just looking to browse the web securely, HTTPS will do just fine.

But if you want protection for ALL your network activities (not just web stuff), and those activities use all sorts of protocols (not just HTTP/HTTPS), then you'll want to go with a VPN.

https://hayao-k.dev/aws-privatelink-supports-amazon-s3-what-makes-you-happy

https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html

EOF