Skip to content
/ aws-privatelink-poc Public

This is a POC to demonstrate an issue with AWS PrivateLink. The issue is what CIDR do you lock down the NLB in an VPC Endpoint Service too to allow the consumer to access the private link.

www.jmoney.dev/aws-privatelink-poc

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jmoney/aws-privatelink-poc

BranchesTags

Repository files navigation

private-link-poc

This is a POC to demonstrate an issue with AWS PrivateLink. The issue is that when the security group on the network load balancer for this provider is locked down to the consumer ip addresses there is a gateway timeout through a LB. The security group of the NLB needs to be set further upstream to the source IP addresses, in this case the private IPs of the ALB, rather than the consumer IPs.

Setup

terraform init
terraform apply -var input_provider_ingress="alb"

This will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service. The NLB is pointed at an instance running a simple echo server. The security group on the NLB is locked down to the ALB private IPs.

terraform init
terraform apply -var input_provider_ingress="consumers"

This will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service. The NLB is pointed at an instance running a simple echo server. The security group on the NLB is locked down to the consumer private IPs.

Testing

To test this POC, you can run the following command:

curl -s -v "http://$(terraform output -json | jq -r .public_lb_dns)/http"

To log into the instance you can use session manager:

aws ssm start-session --target $(terraform output -json | jq -r .echo_server_id)

Requirements

Name Version
aws 5.40.0

Providers

Name Version
aws 5.40.0

Modules

Name Source Version
consumer ./modules/consumer n/a
consumer_network ./modules/network_segment n/a
echo_server ./modules/echo_server n/a
provider ./modules/provider n/a
provider_network ./modules/network_segment n/a

Resources

Name Type
aws_lb.public_lb resource
aws_lb_listener.public_lb resource
aws_lb_target_group.public_lb resource
aws_lb_target_group_attachment.consumers resource
aws_security_group.public_lb resource
aws_security_group_rule.private_link_provider_ingress resource
aws_network_interface.alb_eni data source
aws_network_interface.consumer_network_interface data source
aws_network_interfaces.alb_enis data source

Inputs

Name Description Type Default Required
provider_ingress Where to grab the IPs for the NLB provider security group. string "alb" no

Outputs

Name Description
consumer_ips IP addresses of the consumer network interfaces
echo_server_id value of the echo server's instance ID
private_link_vpcs VPC IDs of the provider and consumer networks
provider_service_name value of the provider service name
public_lb_dns value of the public load balancer's DNS name

About

This is a POC to demonstrate an issue with AWS PrivateLink. The issue is what CIDR do you lock down the NLB in an VPC Endpoint Service too to allow the consumer to access the private link.

www.jmoney.dev/aws-privatelink-poc

Topics

aws mkdocs license-management github-site

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages