How to create cross account VPC Endpoint Services ?
From security standpoint, It’s best practice to use VPC endpoint services rather than VPC peering.
What is VPC Endpoint Service:
You can access Network/Gateway Load balancer from one account to another over Privatlink (without peering) in same region.
Why not VPC peering:
- Advantage of creating multiple VPC’s and segregating them is to reduce the blast radius in case of security event. If VPC peering is enabled then all traffic is allowed and only restriction is at Security Group and NACL levels.
- Compromised resources in one VPC can hamper services in another account if Security groups/NACL’s are not restricted and specially if ingress Security group is wide open.
- NACL’s are hard to manage at scale and stateless. Ephemeral port range needs to be allowed at NACL and a lot of AWS services uses wide port range i.e.1024–65535. Security Groups can be configured/managed via AWS Firewall Manager at scale.
- You have to request/accept VPC peering and manage all route tables that point to pcx-xxxx connection. Not a good solution at scale (Transit Gateway is better option).
Why VPC Peering:
- VPC endpoint services do not work cross region. E.g:- Service in Oregon region cannot talk to service in N.Virginia over Privatelink. If you can’t deploy service in each region then you need VPC peering i.e.cross region access.
- If service can’t use NLB/GLB due to application limitation then Peering is only option.
** Other option is also that you can make service public and whitelist source account NAT Gateway IP addresses in destination account’s security groups. In general, we should avoid creating public resources.
How to create VPC Endpoint service :
In Account A (which needs to expose this service via privatelink)
- VPC -> Endpoint Services -> Create endpoint service -> Select available Network/Gateway load balancer and click Create.
- Click “Allow Principals” here : Example-> “arn:aws:iam::<Account-ID>:root”
- Login to Account B which needs to reach above Endpoint Service. We have to create VPC Endpoint in that account :
- You can search for that endpoint name we created in Account A. Click “Create Endpoint”. Afterwards, you should be able to reach NLB/GLB endpoint services from Account B.
- Afterwards, you can list under “Endpoint connections” that can reach your endpoint service :
- You can also set Notifications for any new endpoint requests (Create/Delete requests):
** You can set Acceptance required and if it’s enabled then you have to accept endpoint requests in Account A.
**Please make sure that you allow CIDR range and required ports in Security groups or check NACL’s. NLB’s don’t have Security groups. Check Security groups associated with target groups/backend nodes associated with NLB.
VPC Endpoint per AZ/hour : $0.01