Why AWS recommends to avoid the use of public/internet gateways in favor of AWS PrivateLink and VPC endpoints?

1.3k views Asked by At

A VPC endpoint enables connections between a virtual private cloud (VPC) and supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, your VPC is not exposed to the public internet.

AWS PrivateLink is a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not need to use an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to communicate with the service. Therefore, your VPC is not exposed to the public internet.

What's so insecure of using public internet if all my incoming(to AWS)/outgoing(from AWS) connections use https? Could this still be decrypted?

I'm not very knowledgeable in networking/security that's why I'm asking.

1

There are 1 answers

0
Marcin On

I think you are confusing two architectures.

  1. Public applications - available over the internet. They require direct or peroxided internet access. One way to secure them is through HTTPS as you do. For them to work your VPC needs internet gateway and/or NAT as well.
  2. Private applications - those applications are meant to be only accessible from within a AWS. Thus internet access to these applications is not required, and is bad practice. This is where AWS PrivateLink can be used. It allows you to expose your application to other AWS users, without them needing internet access or even access to your VPC. They can access your private applications from their own accounts and VPCs.