DEV Community

1

AWS VPC endpoint services for NLB powered by Private Link.

Recently in my organization, there was a requirement to connect to a private endpoint in Account A from Account B. When such a requirement comes, VPC peering is the first solution that comes to our mind. However, if the given endpoint is hosted behind an NLB, it can simply connected via a VPC endpoint service which is powered by AWS Private Link.

In Account A, create an NLB and service endpoints respectively.

resource "aws_vpc_endpoint_service" "this" {
  # The ARN of the NLB
  network_load_balancer_arns = [module.nlb.arn]

  # DNS of the private endpoint
  private_dns_name    = var.private_dns_name

  # Accept or Reject endpoint connections from other AWS accounts
  acceptance_required = true

  tags = {
    Name = "${terraform.workspace}-nlb"
  }
}

resource "aws_vpc_endpoint_service_allowed_principal" "this" {
  vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id

  # Allow principal to create endpoint connection
  principal_arn = "arn:aws:iam::${var.account_b_id}:root"
}

Enter fullscreen mode Exit fullscreen mode

The Service name is required when we configure the VPC endpoint in Account B.

vpc endpoint service

Add the TXT record to your Domain. After a successful validation the Domain verification status will be shown as Verified.

private dns

In Account B, create a VPC endpoint for the VPC endpoint service created above.

module "vpc_endpoints" {
  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  ...
  endpoints = {
    "nlb" = {
      service_name        = "com.amazonaws.vpce.eu-north-1.vpce-svc-0f61ad0e435a4680c"
      subnet_ids          = module.vpc.private_subnets
      private_dns_enabled = true
      service_type        = "Interface"
      tags                = { Name = "${terraform.workspace}-nlb" }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

vpc endpoint

Go back to  Account A and accept the endpoint connection request that comes from Account B, under the Endpoint connections tab in Endpoint services.

Now try to access the private endpoint hosted in Account A from Account B.

$ curl nlb.petproject.my
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Enter fullscreen mode Exit fullscreen mode

Thank you for reading!

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more →

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post

đź‘‹ Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay