PrivateLink Patterns

Service-to-service.

What PrivateLink solves

Private connectivity to AWS services and SaaS without the public internet. Traffic stays on AWS backbone. Lower latency, no egress fees, compliance friendly.

Replaces NAT gateways and VPC peering for service consumption. The provider exposes a service endpoint; consumers create endpoint connections in their VPC.

Default for compliance-sensitive workloads. Healthcare, finance, regulated industries. The audit story is cleaner than public internet routes.

Interface endpoints (PrivateLink)

Per-AZ endpoint network interfaces (ENIs) in your VPC. DNS resolves the AWS service to the local ENI. Traffic stays in-region.

Cost: hourly per endpoint plus per-GB processed. At meaningful scale, replacing NAT egress with endpoints saves money.

Common services: S3, DynamoDB (gateway), KMS, SSM, Secrets Manager, ECR. Most heavily-used AWS services support PrivateLink.

Gateway endpoints (S3, DynamoDB)

Different from interface endpoints. Free; route-table-based. Specifically for S3 and DynamoDB.

Should always be deployed for S3 and DynamoDB. Free, removes NAT egress for these services, no operational cost.

Limitation: only works within the VPC. Cross-region or cross-account requires interface endpoints.

Custom services via PrivateLink

Provider creates a Network Load Balancer; exposes it as a service. Consumer creates an endpoint that connects to it.

SaaS vendors increasingly offer PrivateLink connectivity. Snowflake, Databricks, Datadog support it.

Operational benefit: the consumer side is the same regardless of provider. Standardised pattern; reusable runbooks.

Operating PrivateLink at scale

Track endpoint usage. Endpoints with no traffic should be retired; they cost money for nothing.

Per-VPC endpoint policy. Limit which IAM principals can use the endpoint. Defence in depth on top of IAM policies.

Monitor endpoint health. NLB targets failing health checks indicate provider-side issues. Alert on it.