AWS Private Internet Access¶

Overview¶

Amazon PrivateLink is a highly available and scalable technology that enables you to connect your VPC privately to services as if these services were within your own VPC. You do not need to use an internet gateway, NAT device, public IP addresses, Amazon Direct Connect connection, or Amazon Site-to-Site VPN connection to allow communication with services in private subnets. Therefore, you can control specific API endpoints, sites, and services accessible from the VPC. Amazon PrivateLink can help you save on some traffic costs.

Benefits of establishing a private network connection:

• Higher Bandwidth: Does not consume public bandwidth of business systems, achieving higher bandwidth through endpoint services.
• More Secure: Data does not pass through the public internet, ensuring data remains within the private network for enhanced security.
• Lower Costs: Compared to high fees for public bandwidth, the cost of virtual internet access is lower.

Currently available regions are cn-northwest-1, us-west-2, ap-southeast-1. Other regions will be available soon. The architecture is as follows:

Prerequisites¶

1. First, select the subscription region, which must match the region where your cloud resources for Guance are deployed.
2. Choose the same VPC network where your cloud resources are deployed. If multiple VPCs need to connect to the endpoint service, subscribe multiple times, once for each VPC.

Subscribe to Service¶

Service Deployment Links¶

Default Endpoint for Private Network Gateway in Different Regions¶

Configure Service Subscription¶

Step One: Authorize Account ID¶

Open the Amazon console via the following links:

• China Region
• Overseas Region

Obtain the account ID in the top-right corner, copy this "Account ID," and inform our customer manager at Guance to add it to our whitelist.

Step Two: Create Endpoint¶

1. Open the Amazon VPC console via the following links:
2. China Region
3. Overseas Region
4. In the navigation pane, select Endpoint (Endpoint Service).
5. Create an endpoint.
6. Service Settings: Input the service name and verify. Select VPC, availability zone, and enable port 443 in the security group.
7. Wait for creation to complete and obtain the endpoint service address.

Step Three: Route 53 Resolve Endpoint¶

1. Open the Amazon Route 53 console via the following links:
2. China Region
3. Overseas Region
4. Create a hosted zone.
5. Domain: guance.com, Type: Private Hosted Zone, Region: DK's region, VPC ID: Customer’s VPC ID.
6. Create a record.
7. Record Name: Refer to Endpoint address, Record Type: CNAME, Value: Create Endpoint service address.

Verification¶

Run the following command on EC2:

dig aws-openway.guance.com

Result:

; <<>> DiG 9.16.38-RH <<>> aws-openway.guance.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22545
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aws-openway.guance.com.      IN    A

;; ANSWER SECTION:
aws-openway.guance.com. 296 IN  CNAME    vpce-0d431e354cf9ad4f1-h1y2auf6.vpce-svc-070f9283a2c0d1f0c.cn-northwest-1.vpce.amazonaws.com.cn.
vpce-0d431e354cf9ad4f1-h1y2auf6.vpce-svc-070f9283a2c0d1f0c.cn-northwest-1.vpce.amazonaws.com.cn. 56 IN A 172.31.38.12

;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Thu May 18 11:23:04 UTC 2023
;; MSG SIZE  rcvd: 176

Cost Details¶

Taking Oregon as an example:

The main cost components are:

1. Interface VPC endpoint service charges
2. Traffic charges for the endpoint

Comparison:

Assuming the client transmits 200GB of outbound traffic and 10GB of inbound traffic daily: