PrivateLink Patterns

Service-to-service.

What PrivateLink solves

PrivateLink removes the public internet from service-to-service traffic. Lower latency, no egress fees, cleaner audit story for compliance-sensitive workloads. The provider exposes a service endpoint, consumers create endpoint connections in their VPC; traffic stays on the AWS backbone.

• Private connectivity. AWS-backbone path per service; lower latency than internet routing, no NAT egress fees, compliance-friendly.
• Replaces NAT and peering. Endpoint connection per service; provider exposes a service endpoint, consumers create endpoint connections in their VPC.
• Default for compliance-sensitive workloads. Healthcare, finance, regulated-industry pick per tenant; audit story is cleaner than public internet routes.
• Endpoint inventory per tenant. Documented endpoint list per tenant supports auditor reviews and access tracking.

Interface endpoints (PrivateLink)

Interface endpoints are the most common form. ENIs per AZ in your VPC, DNS resolves the AWS service name to the local ENI; the application sees a normal AWS API call without realising it never crosses the public internet.

• Per-AZ ENIs. Endpoint network interface per AZ in your VPC; DNS resolves the AWS service to the local ENI.
• Cost. Hourly plus per-GB processed per endpoint; at meaningful scale, replacing NAT egress with endpoints saves money.
• Common services. S3, DynamoDB (gateway), KMS, SSM, Secrets Manager, ECR per account; most heavily-used AWS services support PrivateLink.
• Security group per endpoint. SG attached per endpoint supports least-privilege access at the network layer.

Gateway endpoints (S3, DynamoDB)

Gateway endpoints are the cheap special case. Free, route-table-based, S3 and DynamoDB only. Always deploy them; the cost is zero and they remove NAT egress for the heaviest AWS services.

• Different from interface endpoints. Route-table-based, free, S3-and-DynamoDB-only path per VPC.
• Always deploy for S3 and DynamoDB. Free gateway endpoint per VPC; removes NAT egress for these services with no operational cost.
• Limitation. Local-only access per VPC; cross-region or cross-account requires interface endpoints with their associated cost.
• Policy per endpoint. IAM policy per endpoint catches accidental write paths and supports compliance posture.

Custom services via PrivateLink

Custom services via PrivateLink are how SaaS vendors increasingly ship. Provider runs an NLB exposed as a service; consumer creates an endpoint in their VPC; the consumer experience is identical regardless of which SaaS vendor.

• Provider NLB. Network Load Balancer per service exposed as a service via the AWS PrivateLink machinery.
• SaaS vendor support. Snowflake, Databricks, Datadog, and others offer PrivateLink per vendor; increasingly common in regulated industries.
• Operational benefit. Identical endpoint pattern per consumer regardless of provider; standardised pattern with reusable runbooks.
• Auth model per vendor. Endpoint allowlist or auth-token integration per vendor supports access reviews.

Operating PrivateLink at scale

Operating PrivateLink at scale is a discipline. Track endpoint usage to retire idle ones, attach IAM policies for defence in depth, monitor endpoint health, audit the inventory quarterly.

• Track endpoint usage. Traffic gauge per endpoint; endpoints with no traffic should be retired since they cost money for nothing.
• Per-VPC endpoint policy. IAM-principal allowlist per endpoint; defence in depth on top of IAM policies.
• Monitor endpoint health. NLB-target health alert per endpoint; failing health checks indicate provider-side issues worth escalating.
• Quarterly endpoint audit. Endpoint inventory review per quarter catches drift between what is provisioned and what is in use.