Cross-VPC Resource Access: Connecting Your VPC Resources Securely
Key Takeaways:
- VPC Resources: Anything that lives or resides in a VPC, such as EC2 instances, databases, clusters, or on-premises resources connected to the VPC.
- Benefits of Cross-VPC Resource Access:
- Integrates with AWS Resource Access Manager (RAM) to share resources across accounts.
- Combines VPC Endpoint and VPC Lattice constructs to enable private access to VPC resources.
- Supports on-premises connectivity to access VPC resources.
Provider Experience: Sharing VPC Resources
- Create a Resource Gateway: A point of ingress for traffic to access VPC resources.
- Define a Resource Configuration: A logical representation of a resource or group of resources to be shared.
- Share the Resource Configuration: Use AWS RAM to share the resource configuration with other accounts.
Consumer Experience: Accessing Shared VPC Resources
Consumers have three options to access shared VPC resources:
- VPC Endpoint: Create a VPC Endpoint of type "Resource" to directly access the shared resource.
- Service Network Endpoint: Add the shared resource configuration to a Service Network, then connect the Service Network to the consumer's VPC using a Service Network Endpoint.
- Service Network VPC Association: Connect the consumer's VPC to the Service Network containing the shared resource configuration.
Pricing and Availability
- No hourly charges for sharing resources or creating Gateways.
- Charges for VPC Endpoints and Service Network configurations.
- Data processing charges similar to AWS PrivateLink.
- Launch partners include Amazon EventBridge, AWS Step Functions, Grafana, Neo4j, and more.
Technical Deep Dive
- Resource Gateway: Provides a point of ingress for traffic to access VPC resources.
- Resource Configuration: Represents a resource or group of resources to be shared, using IP address, domain name, or ARN.
- Supported Resource Types:
- Single Resource
- Group Resource (for clusters)
- ARN Resource (for RDS databases)
- Data Path:
- Consumer resolves unique DNS for the shared resource.
- Traffic flows through the Resource Gateway, with Network Address Translation and port mapping handled.
- Support for IPv4 to IPv6 translation, Source Port translation, and routing to on-premises or peered VPCs.
Overall, Cross-VPC Resource Access simplifies and secures connectivity between VPC resources across accounts, enabling new use cases and streamlining network architectures.