PrivateLink vs Public Endpoints: When Each Wins

Public endpoints are simple; PrivateLink is private. The decision rule and the cost difference.

When public wins

AWS PrivateLink and public endpoints are two ways services expose themselves to consumers. Public endpoints are reachable over the internet; PrivateLink endpoints are reachable only from explicitly connected VPCs over AWS's private network. The choice between them is a security, cost, and operational trade-off, not a one-size-fits-all decision.

What public endpoints are good for:

• Public APIs.: APIs that customers consume from anywhere on the internet are public by definition. The customer's network might not be on AWS; PrivateLink would not be reachable. Public is the only viable model for genuinely public consumption.
• CDN-fronted content.: Content delivered through a CDN reaches users from edge locations on the internet. The CDN's job is to be public; using PrivateLink for the origin and exposing the CDN publicly is the standard pattern.
• Cost: zero.: Public endpoints have no per-endpoint cost. Standard data transfer rates apply for outbound traffic; there is no premium for the public exposure itself.
• Simplicity: high.: Public endpoints are the default exposure model. There is no per-VPC configuration, no peering, no endpoint approval workflow. The simplicity matches the use case.
• Authentication is the perimeter.: Public endpoints depend entirely on authentication for access control. The authentication discipline must be strong because the network exposure is unbounded; anyone with valid credentials can reach the API.

Public endpoints are the right choice when the consumer set is genuinely public or where authentication provides adequate protection.

When PrivateLink wins

PrivateLink is the right choice when network-level isolation is the priority. The traffic stays on the AWS backbone; it never traverses the public internet. The isolation produces both security and compliance benefits.

• Customer data flows.: Internal flows that carry customer data benefit from network-level isolation. Even if the application has good authentication, network isolation reduces the attack surface. PrivateLink prevents internet-based attackers from probing the endpoint at all.
• Internal services accessed via VPC.: Services consumed only by internal customers (other VPCs in the same organization, partner organizations with explicit connections) have a defined consumer set. PrivateLink lets the team explicitly approve each consumer.
• Compliance: PrivateLink keeps traffic on the AWS backbone.: Compliance regimes that prefer or require traffic isolation (HIPAA, PCI in some configurations, regulated financial workloads) benefit from PrivateLink. The auditor sees a clear network boundary; the conversation is shorter.
• Per-consumer authorization.: Each PrivateLink endpoint can be configured with explicit allowed principals. The authorization is enforced at the network layer; rejected consumers cannot even establish a connection. The defense-in-depth value is real.
• Service-side IP control.: The service provider sees consumer traffic from a known set of IPs (the endpoint IPs). The IP allowlisting becomes manageable in a way that public endpoints with millions of source IPs do not allow.

PrivateLink is the right choice when the network exposure matters and the consumer set is defined.

Cost

PrivateLink has explicit costs that public endpoints do not. The decision must factor in both the security benefit and the cost; not all flows justify the cost.

• PrivateLink: per-endpoint hourly plus per-GB processing.: Each PrivateLink endpoint costs roughly $0.01 per hour and $0.01 per GB processed. The hourly cost is small per endpoint; it scales with endpoint count. The per-GB cost scales with traffic volume.
• Public: free.: Public endpoint exposure has no per-endpoint cost. Outbound data transfer is at standard rates regardless of endpoint type. The cost difference between the two models is the PrivateLink premium.
• PrivateLink for sensitive flows.: Apply PrivateLink where the security benefit justifies the cost. Customer-data flows, regulated workloads, internal services with sensitive data. The cost is small relative to the value.
• Public for everything else.: Default to public endpoints unless there is a specific reason to choose PrivateLink. The default minimizes cost; the exception is justified per case.
• Watch endpoint proliferation.: PrivateLink endpoints can multiply quickly: every cross-VPC connection adds endpoints. Watch the endpoint count; consolidate where possible; remove unused endpoints. The cost adds up across many endpoints even when each is small.

PrivateLink versus public endpoint is a per-flow decision. Nova AI Ops integrates with VPC and endpoint inventory data, surfaces traffic patterns through both endpoint types, and helps teams identify which flows belong on which exposure model.