Support sharing services through AWS PrivateLink

[efekarakus]

Ask

We'd like to expose Backend Services that are build in a separate account and VPC to other AWS accounts. One way of achieving a private connection from a different AWS account is through AWS PrivateLink.

One of the prerequisites for PrivateLink is creating a Network Load Balancer in front of the Backend Service so that it can be referred to from the VPC endpoint service.

The desired architecture should look like:

Proposal

In Backend Service Manifest, copilot can expose a way of placing a network load balancer in front of the shared ALB that is created for Backend Services.

name: api
type: Backend Service

http:
  path: '/'

nlb:
  port: 80/tcp
  target: http

This feature would add the nlb field just like for Load Balanced Web Services. However, in addition by specifying target: http we can have an ALB-type target group.

Request For Feedback

Would the feature description above be enough from Copilot to support AWS privatelink? It essentially only sets the prerequisites but doesn't help with creating an endpoint service or interface endpoint.

• How would you manage the endpoint service?
• How would you manage the interface endpoint?
• How about the custom DNS name for the endpoint service?

[afgallo]

Hi @efekarakus and @Lou1415926, I've come across this issue when researching AWS PrivateLink connections to SQS and SNS. This is probably not related to this proposal but I was wondering if there is a way to achieve this with AWS Copilot: Can pub/sub architectures leverage PrivateLink so that my services communication never leaves my VPC?

[Lou1415926]

Hey @afgallo ! Are you using worker service for your pub/sub architecture, or did you build your own pub/sub?

Can pub/sub architectures leverage PrivateLink so that my services communication never leaves my VPC?

Could you elaborate on what part of the communication is leaving your VPC? Is the VPC managed by Copilot?

[afgallo]

Hi @Lou1415926 my environments are fully managed by AWS Copilot. We haven't built a pub/sub service yet, I was reviewing the documentation and came across examples with a public http endpoint, so this gave me the impression that SNS and SQS do not have a local endpoint. Is that correct?

[Lou1415926]

ah I see now! Yes the worker service will have to call a public endpoint to pull messages from the queue, and you were right - you'd need a VPC endpoint using AWS PrivateLink to do that. The traffic goes like ECS -> internet gateway -> SQS.

I think you should be able to create an interface endpoint as an environment addon. Once that's done, you will be able to make the API calls via the private endpoint. The traffic would go like ECS --(private link)--> SQS

[afgallo]

That's excellent, thank you @Lou1415926 👍🏻