How to implement end to end VPC Endpoint service

Lab Details

  1. This lab walks you through the steps to set up an end to end connection between two VPC’s (Services Provider and customer) using Endpoint service

  2. You will practice the lab using VPC, ELB and EC2.

  3. Duration: 120 minutes

  4. AWS Region: US East (N. Virginia) us-east-1

Introduction

What is an AWS VPC Endpoint service ?

  • VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

  • Instances in your VPC do not require public IP addresses to communicate with resources in the service.

  • Traffic between your VPC and the other service does not leave the Amazon network.

What is a VPC Endpoint ?

  • VPC Endpoint allows us to securely connect your VPC and supported AWS services powered by AWS PrivateLink. AWS PrivateLink is a service that allows you to access AWS services by using private IP addresses. In this case, traffic does not leave Amazon’s network.

  • VPC endpoint does not require a NAT Gateway, NAT instance, Internet Gateway, or any VPN services to access AWS Services.

  • There are two types of VPC endpoints: Gateway and Interface.

Network Load Balancer

  1. The network load balancer (NLB) distributes the traffic based on network variables, such as IP address and destination ports.

  2. NLB is capable of processing traffic and scaling at a much higher rate than the application load balancer.

  3. We can't use some features of the Application Load Balancer such as SSL-offloading, host-based routing, cross-zone load balancing, and a few others.

  4. The complete comparison among load balancers can be found in the link Load balancer differences.

  5. It is not designed to take into consideration anything at the application layer, such as content type, cookie data, custom headers, user location, or the application behavior.

  6. For TCP traffic, NLB selects a target using a flow hash algorithm based on the type of protocol, source IP address, source port, destination IP address and destination port.

  7. TCP connections from a client have different source ports and sequence numbers compared with NLB and can be routed to different targets. 

  8. Each individual TCP connection is routed to a single target for a connection.

  9. A UDP flow has the same source and destination, so it is consistently routed to a single target throughout its lifetime. 

  10. Different UDP flows have different source IP addresses and ports, so they can be routed to different targets. 

  11. The advantage of NLB is that it can manage the traffic to a different port to the same instance.

  12. We can split the request based on the port to different services using the Network Load Balancer, thus NLB allows you to route the traffic among multiple applications running on the same server.

Architecture Diagram

Case study

We will be creating a service provider VPC (VPC 1) with a public subnet which contains a Network load balancer with one EC2 Instance having a sample webpage and then create a VPC Endpoint service for the Network Load balancer.

For the customer side, we will be creating a Customer VPC (VPC 2) with a public subnet and create a VPC Endpoint and test the connectivity using an EC2 Instance.

Case study Diagram

Task Details

  1. Launching Lab Environment.

  2. Create a service provider VPC.

  3. Create and attach an Internet Gateway.

  4. Create a Public subnet.

  5. Create a Public Route Table and associate it with the subnet.

  6. Add the public Route in the Route table.

  7. Create an EC2 Instance.

  8. Create a Network LoadBalancer.

  9. Create an Endpoint service.

  10. Create a customer VPC.

  11. Create and attach an Internet Gateway.

  12. Create a Public subnet.

  13. Create a Public Route Table and associate it with the subnet.

  14. Add the public Route in the Route table.

  15. Create an EC2 Instance.

  16. Create a VPC Endpoint.

  17. Test the connectivity.

  18. Validation of the lab.

  19. Deleting AWS resources