{
  "content": "# AWS PrivateLink: What It Is and When to Use It\n\n## Definition\n\nAWS PrivateLink is a networking service that provides secure, private connectivity between your Virtual Private Clouds (VPCs), supported AWS services, and your on-premises networks. It solves the problem of exposing services to the public internet by ensuring that all network traffic remains on the private AWS global network.\n\n## How It Works\n\nAWS PrivateLink operates on a provider/consumer model, enabling service-level connectivity rather than full network-level access.\n\n1.  **Service Provider**: The owner of an application or service (the \"provider\") first places their application instances—such as [Amazon EC2](/terms/ec2) instances or containers—behind a [Network Load Balancer (NLB)](/terms/nlb) within their VPC. They then create a **[VPC Endpoint](/terms/vpc-endpoint) Service**, which registers the NLB and makes the service available for connection.\n\n2.  **Service Consumer**: A consumer who wants to access the service creates an **Interface VPC Endpoint** in their own VPC. This action provisions an [Elastic Network Interface (ENI)](/terms/eni) with a private IP address from the consumer's own subnet. This ENI acts as the secure entry point for all traffic destined for the provider's service.\n\n3.  **Data Flow**: When an application in the consumer's VPC sends a request to the service, it resolves to the private IP of the endpoint ENI. The traffic is then securely routed over the AWS backbone to the provider's NLB and onward to the service, never traversing the public internet. This connection is unidirectional, meaning only the consumer can initiate requests to the provider.\n\nThis architecture simplifies network management by eliminating the need for Internet Gateways, [NAT Gateway](/terms/nat-gateway)s, public IP addresses, or complex [VPC Peering](/terms/vpc-peering) route table configurations. It also inherently supports overlapping IP address ranges between the provider and consumer VPCs, a common challenge with other connectivity methods like VPC Peering.\n\n## Key Features and Limits\n\n*   **Secure & Private**: Traffic is isolated from the public internet, significantly reducing the attack surface.\n*   **Simplified Networking**: Avoids the need for Internet Gateways, NAT Gateways, public IPs, and complex routing rules. It also works seamlessly with overlapping CIDR blocks.\n*   **Cross-Account & Cross-Region**: Securely connect to services in other AWS accounts. As of late 2025, AWS PrivateLink now supports native cross-region connectivity, allowing you to access services in other [AWS Region](/terms/region)s without setting up inter-region VPC peering.\n*   **Scalability**: A single endpoint service can be accessed by thousands of consumer VPCs, making it ideal for SaaS providers. Each endpoint can scale automatically from a default of 10 Gbps up to 100 Gbps of bandwidth per Availability Zone.\n*   **Service Quotas (Limits)**: As of 2026, default quotas include, but are not limited to:\n    *   **Interface and Gateway Load Balancer endpoints per VPC**: 50 (adjustable)\n    *   **Gateway VPC endpoints per Region**: 20 (adjustable)\n    *   **VPC endpoint policy size**: 20,480 characters (not adjustable)\n\n## Common Use Cases\n\n1.  **Private Access to AWS Services**: Connect to services like [Amazon S3](/terms/s3), [Amazon Kinesis](/terms/kinesis), [AWS Lambda](/terms/lambda), and Amazon EC2 APIs from within a private subnet without requiring a NAT Gateway or Internet Gateway. This enhances security and can reduce data transfer costs.\n\n2.  **Building Multi-Tenant SaaS Applications**: SaaS providers can offer their services to customers securely and privately. Each customer connects from their own VPC to the provider's service via PrivateLink, ensuring data isolation and simplifying the network architecture for both parties.\n\n3.  **Secure Microservice Communication**: In a microservices architecture, different services deployed across multiple VPCs can communicate securely and efficiently without full network peering. This is especially useful when VPCs have overlapping IP addresses.\n\n4.  **Hybrid Cloud Connectivity**: On-premises applications can connect to AWS services over [AWS Direct Connect](/terms/direct-connect) or a VPN through a VPC endpoint. This keeps all traffic, from the data center to the AWS service, off the public internet.\n\n5.  **Centralized Shared Services**: Organizations with many VPCs can create a central "shared services" VPC to host common applications (e.g., logging, authentication). Other VPCs can then consume these services via PrivateLink, which is more scalable than managing a large mesh of VPC Peering connections.\n\n## Pricing Model\n\nAWS PrivateLink pricing is based on its primary component, the Interface VPC Endpoint. The cost structure has two main parts:\n\n*   **Hourly Charge**: You are billed for each hour that an Interface VPC Endpoint is provisioned in each Availability Zone. A highly available endpoint in three AZs will incur three times the hourly charge of a single-AZ endpoint.\n*   **Data Processing Charge**: There is a per-Gigabyte charge for all data processed through the Interface Endpoint. This rate is often significantly lower than the data processing charge for a NAT Gateway.\n\nCross-region traffic will also incur standard inter-region data transfer fees in addition to the PrivateLink charges. It is important to note that **Gateway VPC Endpoints**, which are used exclusively for Amazon S3 and DynamoDB, are free and do not use PrivateLink technology.\n\nFor detailed, up-to-date pricing, always consult the official [AWS PrivateLink Pricing](https://aws.amazon.com/privatelink/pricing/) page.\n\n## Pros and Cons\n\n**Pros:**\n*   **Enhanced Security**: The primary benefit is eliminating public internet exposure for service traffic.\n*   **Simplified Network Architecture**: No need for NAT/Internet Gateways, public IPs, or complex route tables. It also resolves the overlapping CIDR block issue.\n*   **Scalable for Service Providers**: A one-to-many model allows SaaS providers and internal teams to securely offer services to thousands of consumers without complex network configurations.\n*   **Granular Access Control**: Access can be controlled using both [Security Group](/terms/security-group)s on the endpoint ENI and VPC Endpoint Policies.\n\n**Cons:**\n*   **Cost**: Interface Endpoints have an hourly and data processing cost, making them more expensive than Gateway Endpoints (which are free) or VPC Peering (which only charges for data transfer).\n*   **Service-Specific, Not Network-Wide**: PrivateLink provides access to a specific service, not general network connectivity between VPCs. For full L3 connectivity, VPC Peering or Transit Gateway is required.\n*   **Configuration Overhead**: Setting up an Endpoint Service requires a Network Load Balancer and proper configuration, which adds a layer of complexity for the service provider.\n\n## Comparison with Alternatives\n\n| Feature | AWS PrivateLink | VPC Peering | [AWS Transit Gateway](/terms/transit-gateway) |\n| :--- | :--- | :--- | :--- |\n| **Connectivity Model** | Unidirectional, service-level access (Consumer -> Provider) | Bidirectional, full network (VPC <-> VPC) | Bidirectional, hub-and-spoke model (VPC <-> Hub <-> VPC) |\n| **Transitive Routing** | No | No (requires full mesh for multi-VPC) | Yes (simplifies routing at scale) |\n| **Overlapping CIDRs** | Supported | Not Supported | Not Supported |\n| **Primary Use Case** | Securely exposing/consuming a specific service. | Simple, one-to-one VPC connections. | Centralized routing for many VPCs and on-premises networks. |\n| **Scalability** | High (thousands of consumer VPCs to one service) | Low (limit of 125 peers per VPC) | High (thousands of attachments) |\n\n## Exam Relevance\n\nAWS PrivateLink is a critical topic for several AWS certifications, particularly those focused on networking and architecture.\n\n*   **AWS Certified Solutions Architect - Associate (SAA-C03)**: Expect questions that test your ability to choose the correct connectivity method. You'll need to know when to use PrivateLink for security over a NAT Gateway, or when to use it instead of VPC Peering to handle overlapping CIDRs.\n*   **AWS Certified Solutions Architect - Professional (SAP-C02)**: Questions will delve deeper into complex, multi-account, and hybrid architectures. You should understand how PrivateLink fits into a shared services VPC model and its advantages for SaaS providers.\n*   **AWS Certified Advanced Networking - Specialty (ANS-C01)**: This exam requires expert-level knowledge. You must understand the detailed mechanics of endpoint services, NLB integration, endpoint policies, DNS resolution, and how PrivateLink compares to Transit Gateway and Direct Connect for various scenarios.\n\n## Frequently Asked Questions\n\n### Q: What is the difference between an Interface Endpoint and a Gateway Endpoint?\nA: **Interface Endpoints** are powered by AWS PrivateLink and create a network interface (ENI) with a private IP in your subnet. They support most AWS services, have an hourly and data processing cost, and can be secured with security groups. **Gateway Endpoints** are a different technology used only for Amazon S3 and DynamoDB. They act as a target in your VPC's route table, do not use PrivateLink, are free of charge, and do not support security groups.\n\n### Q: Can I use AWS PrivateLink to connect to a service in another AWS Region?\nA: Yes. As of late 2025, AWS PrivateLink natively supports cross-region connectivity for both AWS services and custom NLB-based endpoint services. This allows a consumer in one region to create an interface endpoint that connects to a service provider in a different region, without needing to set up Inter-Region VPC Peering or other complex networking.\n\n### Q: Does AWS PrivateLink support overlapping IP address ranges (CIDRs)?\nA: Yes, absolutely. Because the connection is established through a network interface in the consumer's VPC that maps to the provider's service, the underlying IP ranges of the two VPCs are abstracted away. This is a major advantage over VPC Peering, which does not allow connections between VPCs with overlapping CIDRs.\n\n---\n*This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the [official AWS documentation](https://docs.aws.amazon.com/) before making production decisions.*",
  "contentPlain": "# AWS PrivateLink: What It Is and When to Use It\n\n## Definition\n\nAWS PrivateLink is a networking service that provides secure, private connectivity between your Virtual Private Clouds (VPCs), supported AWS services, and your on-premises networks. It solves the problem of exposing services to the public internet by ensuring that all network traffic remains on the private AWS global network.\n\n## How It Works\n\nAWS PrivateLink operates on a provider/consumer model, enabling service-level connectivity rather than full network-level access.\n\n1.  **Service Provider**: The owner of an application or service (the \"provider\") first places their application instances—such as Amazon EC2 instances or containers—behind a Network Load Balancer (NLB) within their VPC. They then create a **VPC Endpoint Service**, which registers the NLB and makes the service available for connection.\n\n2.  **Service Consumer**: A consumer who wants to access the service creates an **Interface VPC Endpoint** in their own VPC. This action provisions an Elastic Network Interface (ENI) with a private IP address from the consumer's own subnet. This ENI acts as the secure entry point for all traffic destined for the provider's service.\n\n3.  **Data Flow**: When an application in the consumer's VPC sends a request to the service, it resolves to the private IP of the endpoint ENI. The traffic is then securely routed over the AWS backbone to the provider's NLB and onward to the service, never traversing the public internet. This connection is unidirectional, meaning only the consumer can initiate requests to the provider.\n\nThis architecture simplifies network management by eliminating the need for Internet Gateways, NAT Gateways, public IP addresses, or complex VPC Peering route table configurations. It also inherently supports overlapping IP address ranges between the provider and consumer VPCs, a common challenge with other connectivity methods like VPC Peering.\n\n## Key Features and Limits\n\n*   **Secure & Private**: Traffic is isolated from the public internet, significantly reducing the attack surface.\n*   **Simplified Networking**: Avoids the need for Internet Gateways, NAT Gateways, public IPs, and complex routing rules. It also works seamlessly with overlapping CIDR blocks.\n*   **Cross-Account & Cross-Region**: Securely connect to services in other AWS accounts. As of late 2025, AWS PrivateLink now supports native cross-region connectivity, allowing you to access services in other AWS Regions without setting up inter-region VPC peering.\n*   **Scalability**: A single endpoint service can be accessed by thousands of consumer VPCs, making it ideal for SaaS providers. Each endpoint can scale automatically from a default of 10 Gbps up to 100 Gbps of bandwidth per Availability Zone.\n*   **Service Quotas (Limits)**: As of 2026, default quotas include, but are not limited to:\n    *   **Interface and Gateway Load Balancer endpoints per VPC**: 50 (adjustable)\n    *   **Gateway VPC endpoints per Region**: 20 (adjustable)\n    *   **VPC endpoint policy size**: 20,480 characters (not adjustable)\n\n## Common Use Cases\n\n1.  **Private Access to AWS Services**: Connect to services like Amazon S3, Amazon Kinesis, AWS Lambda, and Amazon EC2 APIs from within a private subnet without requiring a NAT Gateway or Internet Gateway. This enhances security and can reduce data transfer costs.\n\n2.  **Building Multi-Tenant SaaS Applications**: SaaS providers can offer their services to customers securely and privately. Each customer connects from their own VPC to the provider's service via PrivateLink, ensuring data isolation and simplifying the network architecture for both parties.\n\n3.  **Secure Microservice Communication**: In a microservices architecture, different services deployed across multiple VPCs can communicate securely and efficiently without full network peering. This is especially useful when VPCs have overlapping IP addresses.\n\n4.  **Hybrid Cloud Connectivity**: On-premises applications can connect to AWS services over AWS Direct Connect or a VPN through a VPC endpoint. This keeps all traffic, from the data center to the AWS service, off the public internet.\n\n5.  **Centralized Shared Services**: Organizations with many VPCs can create a central \"shared services\" VPC to host common applications (e.g., logging, authentication). Other VPCs can then consume these services via PrivateLink, which is more scalable than managing a large mesh of VPC Peering connections.\n\n## Pricing Model\n\nAWS PrivateLink pricing is based on its primary component, the Interface VPC Endpoint. The cost structure has two main parts:\n\n*   **Hourly Charge**: You are billed for each hour that an Interface VPC Endpoint is provisioned in each Availability Zone. A highly available endpoint in three AZs will incur three times the hourly charge of a single-AZ endpoint.\n*   **Data Processing Charge**: There is a per-Gigabyte charge for all data processed through the Interface Endpoint. This rate is often significantly lower than the data processing charge for a NAT Gateway.\n\nCross-region traffic will also incur standard inter-region data transfer fees in addition to the PrivateLink charges. It is important to note that **Gateway VPC Endpoints**, which are used exclusively for Amazon S3 and DynamoDB, are free and do not use PrivateLink technology.\n\nFor detailed, up-to-date pricing, always consult the official [AWS PrivateLink Pricing](https://aws.amazon.com/privatelink/pricing/) page.\n\n## Pros and Cons\n\n**Pros:**\n*   **Enhanced Security**: The primary benefit is eliminating public internet exposure for service traffic.\n*   **Simplified Network Architecture**: No need for NAT/Internet Gateways, public IPs, or complex route tables. It also resolves the overlapping CIDR block issue.\n*   **Scalable for Service Providers**: A one-to-many model allows SaaS providers and internal teams to securely offer services to thousands of consumers without complex network configurations.\n*   **Granular Access Control**: Access can be controlled using both Security Groups on the endpoint ENI and VPC Endpoint Policies.\n\n**Cons:**\n*   **Cost**: Interface Endpoints have an hourly and data processing cost, making them more expensive than Gateway Endpoints (which are free) or VPC Peering (which only charges for data transfer).\n*   **Service-Specific, Not Network-Wide**: PrivateLink provides access to a specific service, not general network connectivity between VPCs. For full L3 connectivity, VPC Peering or Transit Gateway is required.\n*   **Configuration Overhead**: Setting up an Endpoint Service requires a Network Load Balancer and proper configuration, which adds a layer of complexity for the service provider.\n\n## Comparison with Alternatives\n\n| Feature | AWS PrivateLink | VPC Peering | AWS Transit Gateway |\n| :--- | :--- | :--- | :--- |\n| **Connectivity Model** | Unidirectional, service-level access (Consumer -> Provider) | Bidirectional, full network (VPC <-> VPC) | Bidirectional, hub-and-spoke model (VPC <-> Hub <-> VPC) |\n| **Transitive Routing** | No | No (requires full mesh for multi-VPC) | Yes (simplifies routing at scale) |\n| **Overlapping CIDRs** | Supported | Not Supported | Not Supported |\n| **Primary Use Case** | Securely exposing/consuming a specific service. | Simple, one-to-one VPC connections. | Centralized routing for many VPCs and on-premises networks. |\n| **Scalability** | High (thousands of consumer VPCs to one service) | Low (limit of 125 peers per VPC) | High (thousands of attachments) |\n\n## Exam Relevance\n\nAWS PrivateLink is a critical topic for several AWS certifications, particularly those focused on networking and architecture.\n\n*   **AWS Certified Solutions Architect - Associate (SAA-C03)**: Expect questions that test your ability to choose the correct connectivity method. You'll need to know when to use PrivateLink for security over a NAT Gateway, or when to use it instead of VPC Peering to handle overlapping CIDRs.\n*   **AWS Certified Solutions Architect - Professional (SAP-C02)**: Questions will delve deeper into complex, multi-account, and hybrid architectures. You should understand how PrivateLink fits into a shared services VPC model and its advantages for SaaS providers.\n*   **AWS Certified Advanced Networking - Specialty (ANS-C01)**: This exam requires expert-level knowledge. You must understand the detailed mechanics of endpoint services, NLB integration, endpoint policies, DNS resolution, and how PrivateLink compares to Transit Gateway and Direct Connect for various scenarios.\n\n## Frequently Asked Questions\n\n### Q: What is the difference between an Interface Endpoint and a Gateway Endpoint?\nA: **Interface Endpoints** are powered by AWS PrivateLink and create a network interface (ENI) with a private IP in your subnet. They support most AWS services, have an hourly and data processing cost, and can be secured with security groups. **Gateway Endpoints** are a different technology used only for Amazon S3 and DynamoDB. They act as a target in your VPC's route table, do not use PrivateLink, are free of charge, and do not support security groups.\n\n### Q: Can I use AWS PrivateLink to connect to a service in another AWS Region?\nA: Yes. As of late 2025, AWS PrivateLink natively supports cross-region connectivity for both AWS services and custom NLB-based endpoint services. This allows a consumer in one region to create an interface endpoint that connects to a service provider in a different region, without needing to set up Inter-Region VPC Peering or other complex networking.\n\n### Q: Does AWS PrivateLink support overlapping IP address ranges (CIDRs)?\nA: Yes, absolutely. Because the connection is established through a network interface in the consumer's VPC that maps to the provider's service, the underlying IP ranges of the two VPCs are abstracted away. This is a major advantage over VPC Peering, which does not allow connections between VPCs with overlapping CIDRs.\n\n---\n*This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the [official AWS documentation](https://docs.aws.amazon.com/) before making production decisions.*",
  "faq": [
    {
      "question": "What is the difference between an Interface Endpoint and a Gateway Endpoint?",
      "answer": "Interface Endpoints are powered by AWS PrivateLink and create a network interface (ENI) with a private IP in your subnet. They support most AWS services, have an hourly and data processing cost, and can be secured with security groups. Gateway Endpoints are a different technology used only for Amazon S3 and DynamoDB. They act as a target in your VPC's route table, do not use PrivateLink, are free of charge, and do not support security groups."
    },
    {
      "question": "Can I use AWS PrivateLink to connect to a service in another AWS Region?",
      "answer": "Yes. As of late 2025, AWS PrivateLink natively supports cross-region connectivity for both AWS services and custom NLB-based endpoint services. This allows a consumer in one region to create an interface endpoint that connects to a service provider in a different region, without needing to set up Inter-Region VPC Peering or other complex networking."
    },
    {
      "question": "Does AWS PrivateLink support overlapping IP address ranges (CIDRs)?",
      "answer": "Yes, absolutely. Because the connection is established through a network interface in the consumer's VPC that maps to the provider's service, the underlying IP ranges of the two VPCs are abstracted away. This is a major advantage over VPC Peering, which does not allow connections between VPCs with overlapping CIDRs."
    }
  ]
}