AWS 推出新功能 PrivateLink「New – AWS PrivateLink for AWS Services: Kinesis, Service Catalog, EC2 Systems Manager, Amazon EC2 APIs, and ELB APIs in your VPC」,官方稱 PrivateLink 是新一代的 VPC endpoint,功能一樣是讓沒有 NAT Gateway 和 Internet Gateway 的純 Private 環境可以接到 AWS 服務。
PrivateLink 算是準備取代 VPC endpoint,這兩者的差異有:
- PrivateLink 會在 VPC 插一張 ENI,這張 ENI 會直接替你接到需要連接的 service (e.x. kinesis),但 VPC endpoint 是從 Gateway 幫你 routing 出去。
- PrivateLink 因為是用 ENI 所以會有 Available 的問題, 所以需要同時指定兩個以上的 AZ。
- PrivateLink 因為是用 ENI 所以一張 ENI 會佔掉 1 個 subnet IP。
- PrivateLink 因為是用 ENI,所以會有 Security Groups 要開放 443, 80 Port。
- PrivateLink 使用 Amazon DNS 來解析到 ENI 的 IP,可用的 DNS Server 為 Subnet DNS ( subnet 第三個 IP)、169.254.169.253。其餘 DNS Server (如 8.8.8.8) 解到都是 Internet IP。
目前算是 VPC endpoint 和 PrivateLink 共存:
- PrivateLink 支援 API:
- Kinesis (com.amazonaws.ap-northeast-1.kinesis-streams)
- Service Catalog (com.amazonaws.ap-northeast-1.servicecatalog)
- Amazon EC2 (com.amazonaws.ap-northeast-1.ec2, com.amazonaws.ap-northeast-1.ec2messages)
- EC2 Systems Manager (com.amazonaws.ap-northeast-1.ssm)
- Elastic Load Balancing (com.amazonaws.ap-northeast-1.elasticloadbalancing)
- VPC endpoint 支援 API:
- Dynamodb (com.amazonaws.ap-northeast-1.dynamodb)
- S3 (com.amazonaws.ap-northeast-1.s3)
可用範圍除了 中國(北京) 以外都可以用了
AWS PrivateLink is available today in all AWS commercial regions except China (Beijing). For the region availability of individual services
費用:
- 使用 $0.01 鎂 / 小時
- 使用 $0.01 鎂 / GB
- EC2 流量另計
Pricing starts at $0.01 / hour plus a data processing charge at $0.01 / GB. Data transferred between availability zones, or between your Endpoint and your premises via Direct Connect will also incur the usual EC2 Regional and Direct Connect data transfer charges
如果你是自架 DNS 的話 (混合雲架構),則需要將 amazonaws.com 指給 169.254.169.253。