Connect your VPC to services using Amazon PrivateLink

Amazon PrivateLink establishes private connectivity between virtual private clouds (VPC) and supported Amazon Web Services, services hosted by other Amazon Web Services accounts, and supported Amazon Web Services Marketplace services. You do not need to use an internet gateway, NAT device, Amazon Direct Connect connection, or Amazon Site-to-Site VPN connection to communicate with the service.

To use Amazon PrivateLink, create a VPC endpoint in your VPC, specifying the name of the service and a subnet. This creates an elastic network interface in the subnet that serves as an entry point for traffic destined to the service.

You can also create your own VPC endpoint service, powered by Amazon PrivateLink and enable other Amazon customers to access your service. PrivateLink enables the creation of private API endpoints, allowing organizations to expose their own services securely to other Amazon customers. This empowers businesses to monetize their internal capabilities, foster collaborative ecosystems, and maintain control over how their services are accessed and consumed.

One of the key benefits of using Amazon PrivateLink is the ability to establish secure, private connectivity without the need for traditional networking constructs like internet gateways, NAT devices, or VPN connections. This helps simplify the network architecture, reduce the attack surface, and improve overall security by keeping the data traffic confined within the Amazon network.

The following diagram shows common use cases for Amazon PrivateLink. The VPC has several EC2 instances in a private subnet and three interface VPC endpoints - one connecting to an Amazon service, another to a service hosted by another Amazon account (a VPC endpoint service), and the third to an Amazon Web Services Marketplace partner service.

For more information, see Amazon PrivateLink.