DEV Community

AWS Community Builders profile image Hari Karthigasu
Hari Karthigasu for AWS Community Builders

Posted on

AWS VPC endpoint services for NLB powered by Private Link.

#aws #nlb #cloudcomputing

Recently in my organization, there was a requirement to connect to a private endpoint in Account A from Account B. When such a requirement comes, VPC peering is the first solution that comes to our mind. However, if the given endpoint is hosted behind an NLB, it can simply connected via a VPC endpoint service which is powered by AWS Private Link.

In Account A, create an NLB and service endpoints respectively.

resource "aws_vpc_endpoint_service" "this" {
  # The ARN of the NLB
  network_load_balancer_arns = [module.nlb.arn]

  # DNS of the private endpoint
  private_dns_name    = var.private_dns_name

  # Accept or Reject endpoint connections from other AWS accounts
  acceptance_required = true

  tags = {
    Name = "${terraform.workspace}-nlb"
  }
}

resource "aws_vpc_endpoint_service_allowed_principal" "this" {
  vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id

  # Allow principal to create endpoint connection
  principal_arn = "arn:aws:iam::${var.account_b_id}:root"
}
Enter fullscreen mode Exit fullscreen mode

The Service name is required when we configure the VPC endpoint in Account B.

vpc endpoint service

Add the TXT record to your Domain. After a successful validation the Domain verification status will be shown as Verified.

private dns

In Account B, create a VPC endpoint for the VPC endpoint service created above.

module "vpc_endpoints" {
  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  ...
  endpoints = {
    "nlb" = {
      service_name        = "com.amazonaws.vpce.eu-north-1.vpce-svc-0f61ad0e435a4680c"
      subnet_ids          = module.vpc.private_subnets
      private_dns_enabled = true
      service_type        = "Interface"
      tags                = { Name = "${terraform.workspace}-nlb" }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

vpc endpoint

Go back to  Account A and accept the endpoint connection request that comes from Account B, under the Endpoint connections tab in Endpoint services.

Now try to access the private endpoint hosted in Account A from Account B.

$ curl nlb.petproject.my
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Enter fullscreen mode Exit fullscreen mode

Thank you for reading!

Top comments (0)

Read next

arpadt profile image

Effective error handling strategies for Lambda invocation models

Arpad Toth -

venkatesh111 profile image

[Boost]

Venkatesh K -

prajwal_kp profile image

Getting Started with Terraform: Automating AWS Infrastructure

Prajwal Kp -

franciscojeg78 profile image

AWS Introduces Multi-Account Sign-In Feature!

Francisco Escobar -