AWS: Services & Architecture
by Sergey Okinchuk
Transit GatewayChapter 5
AWS PrivateLink
Service 31

AWS PrivateLink

NetworkingPrivateNetwork

PrivateLink connects you to AWS services and to services in other VPCs (your own or third parties') through private endpoints inside your VPC, with traffic never leaving the AWS network. The consumer sees the service as a private IP in its own VPC.

Two parties are involved: consumers create VPC endpoints to reach a service, and providers publish endpoint services behind a Network Load Balancer. The consumer never sees the provider's VPC, subnets, or NLB — only the private IP of their own endpoint.

Endpoint Types

Interface endpoints (the PrivateLink mechanism) place an ENI with a private IP in your subnet; DNS resolves the service hostname to it. They work for most AWS services and third-party services, billed per AZ-hour plus per GB. Gateway endpoints are a route-table target available only for S3 and DynamoDB — and free.

Use Gateway endpoints for S3 and DynamoDB whenever possible since they cost nothing; use interface endpoints for everything else.

Endpoint Services and DNS

On the provider side, you run your service behind a Network Load Balancer, create an endpoint service pointing at it, and grant specific accounts permission to connect. Consumers create interface endpoints that tunnel through — common for SaaS sold to enterprises and for sharing internal services across accounts without peering.

Private DNS (on by default for AWS services) makes the regular service hostname resolve to the endpoint's private IP from inside the VPC, so existing SDK code hits the private endpoint with no changes.

Cost Optimization

The classic cost play: replace NAT Gateway egress to AWS services with PrivateLink. NAT Gateway charges per GB at a higher rate than interface-endpoint data processing, and the hourly endpoint fee is offset quickly at moderate traffic. For S3 and DynamoDB specifically, free Gateway endpoints beat both.

PrivateLink vs Transit Gateway vs VPC Peering

PrivateLink — exposing or consuming one specific service across VPC or account boundaries with strict one-to-one scoping.

Transit Gateway — full-network routing between many VPCs and hybrid links through a hub.

VPC Peering — whole-network connectivity between a small number of VPCs.

Common Mistakes
  • Paying for an interface endpoint for S3 or DynamoDB when the free Gateway endpoint does the job.
  • Routing AWS-service traffic through a NAT Gateway when a PrivateLink endpoint would be cheaper at moderate volume.
  • Using PrivateLink to connect whole networks — it exposes one service; use Transit Gateway or peering for network-wide routing.
  • Forgetting that interface endpoints bill per AZ, so enabling many AZs multiplies the hourly cost.
  • Disabling private DNS and then rewriting application code to use endpoint-specific hostnames unnecessarily.
  • Publishing an endpoint service without restricting which accounts may connect.
Best Practices
  • Use free Gateway endpoints for S3 and DynamoDB; interface endpoints for other services.
  • Replace NAT Gateway egress to AWS services with PrivateLink to cut data-transfer cost.
  • Keep private DNS enabled so existing SDK code needs no changes.
  • Restrict endpoint-service access to specific allowed accounts.
  • Enable endpoints only in the AZs you need, since they bill per AZ-hour.
Comparable services GCP Private Service ConnectAzure Private Link

Knowledge Check

Which VPC endpoint type is free, and for which services?

  • Gateway endpoints — free, but only for S3 and DynamoDB
  • Interface endpoints — free across every AWS service
  • Both endpoint types are free of any charge
  • Neither endpoint type is ever free

How does private DNS make PrivateLink transparent to applications?

  • The standard service hostname resolves to the endpoint's private IP in the VPC, so SDK code is unchanged
  • It rewrites the application's source code at deploy time to point every API call at new endpoint hostnames
  • It disables the public service endpoint everywhere globally so no client can reach it from the internet
  • It requires every call to use a new endpoint-specific URL

What does a PrivateLink consumer see of the provider's environment?

  • Only the private IP of their own interface endpoint, not the provider's VPC or NLB
  • The provider's full VPC, subnet, and route-table layout, including every internal CIDR range
  • The provider's NLB public IP sitting behind the endpoint service for direct access
  • Nothing — the connection is one-way and completely blind

When should you use PrivateLink instead of a Transit Gateway?

  • When you need to expose or consume one specific service with strict scoping
  • When many VPCs need full mesh routing between each other
  • When connecting on-premises networks in over a dedicated Direct Connect link
  • When you want the cheapest possible option for all S3 traffic

You got correct