100 Days of DevOps — Day 39-Introduction to VPC EndPoint
Welcome to Day 39 of 100 Days of DevOps, Focus for today VPC Endpoint
What is VPC EndPoint?
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
There are two types of VPC endpoints:
- Interface endpoints(using private links): An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service
# Supported ServicesAmazon API GatewayAWS CloudFormationAmazon CloudWatchAmazon CloudWatch EventsAmazon CloudWatch LogsAWS CodeBuildAWS ConfigAmazon EC2 APIElastic Load Balancing APIAmazon Elastic Container RegistryAmazon Elastic Container ServiceAWS Key Management ServiceAmazon Kinesis Data StreamsAmazon SageMaker and Amazon SageMaker RuntimeAmazon SageMaker Notebook InstanceAWS Secrets ManagerAWS Security Token ServiceAWS Service CatalogAmazon SNSAmazon SQSAWS Systems ManagerEndpoint services hosted by other AWS accountsSupported AWS Marketplace partner services
- Gateway endpoints: A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service
# Supported Services* Amazon S3
* DynamoDB
Scenario1: I want to push logs from EC2 private instance(running on Private IP)to CloudWatch Logs.
- To setup VPC Endpoint
Go to https://us-west-2.console.aws.amazon.com/vpc --> EndPoints
- Once the endpoint is created you will see an elastic network interface with a private IP address which acts as an entry point for traffic destined to a supported service
Terraform Code
Scenario2: I want to push logs from EC2 private instance(running on Private IP)to AWS S3.
- In the case of gateway endpoint, you will see the entry in the route table, used for traffic destined to a supported AWS service
Terraform Code
GitHub Link
Limitations
- Only Support IPv4
- Support only for the same region
- Interface endpoint cannot only be accessible via VPC Peering or VPN connection only via Direct Connect.
- You cannot use an IAM policy or bucket policy to allow access from a VPC IPv4 CIDR range (the private IPv4 address range). VPC CIDR blocks can be overlapping or identical, which may lead to unexpected results. Therefore, you cannot use the
aws:SourceIpcondition in your IAM policies for requests to Amazon S3 through a VPC endpoint. This applies to IAM policies for users and roles, and any bucket policies.If a statement includes theaws:SourceIpcondition, the value fails to match any provided IP address or range
Restricting Access to a Specific VPC Endpoint
Restricting Access to a Specific VPC
Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.
- Twitter: @100daysofdevops OR @lakhera2015
- Facebook: https://www.facebook.com/groups/795382630808645/
- Medium: https://medium.com/@devopslearning
- Slack: https://devops-myworld.slack.com/messages/CF41EFG49/
- GitHub Link:https://github.com/100daysofdevops
Reference
