AWS Private Internet Access¶

Overview¶

Amazon PrivateLink is a highly available and scalable technology that enables you to connect your VPC privately to services as if these services were within your own VPC. You do not need to use an internet gateway, NAT device, public IP addresses, Amazon Direct Connect connection, or Amazon Site-to-Site VPN connection to allow communication with services in private subnets. Therefore, you can control specific API endpoints, sites, and services accessible from the VPC. Amazon PrivateLink can help you save on some traffic costs.

Benefits of establishing a private network connection:

• Higher Bandwidth: Does not consume public bandwidth of business systems, achieving higher bandwidth through endpoint services.
• More Secure: Data does not pass through the public internet, ensuring data remains within the private network for enhanced security.
• Lower Costs: Compared to high fees for public bandwidth, the cost of virtual internet access is lower.

The architecture is as follows:

flowchart LR
  subgraph Customer_VPC
    dk_a[Availability Zone A - dk]
    dk_b[Availability Zone B - dk]
    dk_c[Availability Zone C - dk]
    plc[Endpoints]

    dk_a --> plc
    dk_b --> plc
    dk_c --> plc
  end

  subgraph guance_VPC
    pls[Endpoints Service]
    nlb[NLB]
    dw[DW - Availability Zone C]
    pls --> nlb --> dw
  end
  plc --> pls

Prerequisites¶

1. First, select the subscription region, which must match the region where your cloud resources for Guance are deployed.
2. Choose the same VPC network where your cloud resources are deployed. If multiple VPCs need to connect to the endpoint service, subscribe multiple times, once for each VPC.

Subscribe to Service¶

Service Deployment Links¶

Default Endpoint for Private Network Gateway¶

Configure Service Subscription¶

Step One: Authorize Account ID¶

Open the Amazon console via the following links:

• China Region
• Overseas Region

Obtain the account ID in the upper right corner of the console, copy this "Account ID," and inform our customer manager at Guance to add it to our whitelist.

Step Two: Create Endpoint¶

1. Open the Amazon VPC console via the following links:

2. China Region

3. Overseas Region

1. Create Security Group:
   • Security group name: private-link
   • Inbound Rules Type: HTTPS
   • Source: 0.0.0.0/0
2. In the navigation pane, select Endpoint (Endpoint Service).
3. Create Endpoint
   • Endpoint settings
     • Type: Endpoint services that use NLBs and GWLBs
   • Service settings
     • Service name: The current AZ Service Deployment Links
     • Verify service
   • Network settings
     • VPC: VPC for business services
     • Subnets: Select the business Subnets
     • Security Group: private-link

1. Notify the account manager of Guance for review
2. Wait for the creation to be successful, click on "Operations" of the terminal node - "Modify Private DNS Name", and set 'Enable DNS name'

Verification¶

Run the following command on EC2:

dig us1-openway.guance.com

Result:

; <<>> DiG 9.16.38-RH <<>> us1-openway.guance.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22545
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;us1-openway.guance.com.      IN    A

;; ANSWER SECTION:
us1-openway.guance.com. 296 IN  CNAME     172.31.16.128 

;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Thu May 18 11:23:04 UTC 2023
;; MSG SIZE  rcvd: 176

Cost Details¶

Taking Oregon as an example:

The main cost components are:

1. Interface VPC endpoint service charges
2. Traffic charges for the endpoint

Comparison:

Assuming the client transmits 200GB of outbound traffic and 10GB of inbound traffic daily: