Welcome to PrivateLink for Customer and Partner Services. This new feature was launched to much fanfare at the AWS re:Invent 2017 Global Partner Summit.
AWS PrivateLink is a new service that enables you to expose services and products within your virtual private cloud (VPC) to other interested parties without exposing your VPC to the public internet. Customer AWS accounts can interface with your services through this new network channel, and it allows partners to build and offer SaaS-based services to their customers.
AWS PrivateLink at Work
Establishing a PrivateLink is both simple and easy, and is done from within the VPC console or via the latest version of the AWS CLI. Upon successful provisioning of a PrivateLink, a secure and private network connection is established between a customer’s (consumer) VPC and the partner’s (provider) VPC.
Communication between VPCs is performed over the AWS private network backbone. Traffic flowing between the consumer VPC and the provider VPC flows internally—staying within the AWS network—without any need to egress over the internet.
As we can see in the graphic above, multiple independent customer AWS accounts can subscribe to the partner’s SaaS product. The partner’s SaaS product is exposed via an AWS Network Load Balancer (NLB). The NLB will perform TCP load balancing across the downstream registered targets. Traffic to and from the SaaS product is delivered over an AWS internal network.
Additionally, if a Direct Connect connection is created between a partner’s VPC and their private on-premises network, and provided that the NLB can see this private network, they can expose services hosted within their on-premise network. Using Direct Connect offers the partner more flexibility for where they choose to host their SaaS products.
Finally, partners have the option to leverage the AWS Marketplace to publish their SaaS product for wider consumption.
So, go ahead and get your PrivateLink on!