Go easy on me as I'm new to software development, but I've been tasked with creating an application that is hosted in an s3 bucket and is authenticated using cognito. When a user signs in they should redirected to a homepage which contains the users previous login times, these times are stored in a dynamodb database.
What I do understand about vpcs is that it gives you a private piece of the aws cloud for your resources, and subnets divide that piece into public (accessible by the internet) and private subnets (not accessible by the internet).
Now whats not clear to me is which AWS resources fall under a vpc and what resources should you put under a private subnet and which should you put under a public subnet. I've attached an image of a architecural solution to my application and would like some feedback on it if possible.
You might want to start with a few AWS tutorials such as:
Serverless Web Application with Cognito, API Gateway, S3, and Lambda
Build a Serverless Web Application with Amplify
In your situation, there's no need to deploy into VPC. You're not currently using any private resources (such as a MySQL database) that would need to be in VPC.
S3, API Gateway, Cognito, and DynamoDB are all AWS services. They don't run in your VPC (if you had a VPC). A VPC-hosted application could create private VPC endpoints to these services (except Cognito) but that's a relatively sophisticated use case that's not needed here, given the information available in your question.
Related
I can't figure out how to make them talk using API calls. Previously I used API Gateways which would trigger lambdas and that lambdas would interact with dynamodb and other services and send me back json response. Now I want to shift to EC2 instances and totally skip API gateway usage. And let a server I run in ec2 do the computation for me. Do I need to deploy a web service(DJango RESTFUL) in EC2 instance and then use it to call in my frontend? If yes I need little guidance how
And Suppose I want to access s3 storage from my DJango restufl in EC2. Can I do it without having to enter the access key and ID and use roles instead just like how I would access s3 from the ec2 instance without access key and ID. Traditionally with SDK we have to use access key and secret keys to even get authorized to use services in SDK so I was wondering if there was a way to get over this since the program will be running in EC2 instance itself. One really inefficient way will be to run a batch command that makes the EC2 interact with services I need without SDK and with roles instead but It is really inefficient and too much work as far as I can see.
As you are familiar with API Gateway, you can use the same to connect to your EC2 instance, its private integration, with the use of VPC Links.
You can create an API Gateway API with private integration to provide your customers access to HTTP/HTTPS resources within your Amazon Virtual Private Cloud (Amazon VPC). Such VPC resources are HTTP/HTTPS endpoints on an EC2 instance behind a Network Load Balancer in the VPC.
You can go though this document for step by step integration.
If you do not want to use API gateway any more, then you can simply use Route53 to route traffic to EC2 instance, all you need is the IP address of the EC2 instance and a hosted zone created using Route53.
Here is a tutorial for your reference.
What is the difference between Private Link and VPC endpoint? As per the documentation it seems like VPC endpoint is a gateway to access AWS services without exposing the data to internet. But the definition about AWS private link also looks similar.
Reference Link:
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html
Does Private Link is the superset of VPC endpoint?
It would be really helpful if anyone provides the difference between these two with examples!
Thanks in Advance!
AWS defines them as:
VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.
AWS PrivateLink — A technology that provides private connectivity between VPCs and services.
So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs. These services can be your own, or provided by AWS.
Let's say that you've developed some application and you are hosting it in your VPC. You would like to enable access to this application to services in other VPCs and other AWS users/accounts. But you don't want to setup any VPC peering nor use Internet for that. This is where PrivateLink can be used. Using PrivateLink you can create your own VPC endpoint services which will enable other services to use your application.
In the above scenario, VPC interface endpoint is a resource that users of your application would have to create in their VPCs to connect to your application. This is same as when you create VPC interface endpoint to access AWS provided services privately (no Internet), such as Lambda, KMS or SMS.
There are also Gateway VPC endpoints which is older technology, replaced by PrivateLink. Gateways can only be used to access S3 and DynamoDB, nothing else.
To sum up, PrivateLink is general technology which can be used by you or AWS to allow private access to internal services. VPC interface endpoint is a resource that the users of such VPC services create in their own VPCs to interact with them.
Suppose there is a website xyz.com that I am hosting in a bunch of Ec2 instances, exposed to the outside world thru a Network load balancer.
Now, a client who has his/her own AWS account, wants to access this xyz.com from an Ec2 running in their aws account.
One approach is to go thru the Internet.
However the client wants to avoid the internet route.
He/she wants to use the AWS backbone to reach xyz.com.
The technology that enables that, is AWS Private link.
(note that if you search for Private Link in the AWS services, there will be none.
You will get "End point services" as the closest hit)
So, this is how to route traffic through the AWS backbone:
I, the owner of xyz.com, will create a VPC End Point Service (NOTE the keyword Service here)
The VPC End point service will point to my Network load balancer.
I will then give my VPC End point service name to the client.
The client will create a VPC End Point (NOTE.. this is different from #1).
While creating it, the client will specify the VPC End Point Service name (from #1) that he got from me.
I can choose to be prompted to accept the connection from the client to my VPC End point service.
As soon as I accept it, then the client can reach xyz.com from his/her EC2 instance.
There is no Internet, no direct connect or VPN.. this simply works; and its secure.
And which technology enabled it.. AWS Private link !!!
PRIVATE LINK IS THE ONLY TECHNOLOGY THAT ALLOWS 2 VPCS TO CONNECT THAT HAVE OVERLAPPING CIDR RANGES.
A useful way in understanding differences is in how they technically connect private resources to public services.
Gateway Endpoints route traffic by adding prefix lists within a VPC route table which targets the Gateway endpoint. It is a logical gateway object similar to a Internet Gateway.
In contrast, an Interface Endpoint uses Privatelink to inject into a VPC at the subnet level, via an Elastic Network Interface (ENI), giving network interface functionality, and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.
The differences in connections offer differing advantages and disadvantages (availability, resiliency, access, scalability, and etc), which then dictates how best to connect private resources to public services.
Privatelink is simply a very much abstracted technology to allow a more simplified connection by using DNS. The following AWS re:Invent offers a great overview of Privatelink: https://www.youtube.com/watch?v=abOFqytVqBU
As you correctly mentioned in the question that both VPC endpoint and AWS private link do not expose to internet. On AWS console under VPC, there is a clear option available to create an endpoint. But there is no option/label to create AWS private link. Actually, there is one more option/label called endpoint service. Creating endpoint service is one way to establish AWS private link. At one side of this AWS private link is your endpoint service and at the other side is your endpoint itself. And interestingly we create both these sides in two different VPCs. In other words, you are connecting two VPCs with this private link (instead of using internet or VPC peering).
understand like,
VPC1 got endpoint service ----> private link -----> VPC2 got endpoint
Here endpoint service side is service provider while endpoint is service consumer. So when you have some service (may be some application or s/w) that you think other VPC endpoints can consume you create endpoint service at your end and consumers will create endpoints at there end. When consumers create endpoints at their end they have to give/select your service name and thus private link will be established with your service.
Ultimately you can have multiple consumers of your service just like one to many relationship.
I want to execute AWS CLI commands of RDS not via the internet, but via a VPC network for mainly creating manual snapshots of RDS.
However, VPC endpoints support only RDS Data API according to the following document:
VPC endpoints - Amazon Virtual Private Cloud
Why? I need to execute a command within closed network for security rules.
Just to reiterate you can still connect to your RDS database through the normal private network using whichever library you choose to perform any DDL, DML, DCL and TCL commands. Although in your case you want to create a snapshot which is via the service endpoint.
VPC endpoints are to connect to the service APIs that power AWS (think the interactions you perform in the console, SDK or CLI), at the moment this means for RDS to create, modify or delete resources you need to use the API over the public internet (using HTTPS for encrypted traffic).
VPC endpoints are added over time, just because a specific API is not there now does not mean it will never be there. There is an integration that has to be carried out by the team of that AWS service to allow VPC endpoints to work.
There is a static website on AWS S3 bucket.
This site has to be available only for one team. It could be authentication system, or access via AWS Client VPN Endpoint (only this team uses AWS VPN).
I have read about S3 Access Points, VPC Endpoints, Bucket Policy with VPC and IP-restriction, made some experiments. There was an idea to restrict access only for VPC with VPN. But I can not forward bucket traffic to VPN tunnel, because my bucket IP address changes all the time.
And this way doesn't look straight.
What service or service combination can I use to implement restriction with minimum efforts?
One approach I have done in the past is using an API Gateway as a proxy to static UI content hosted in a private S3 bucket. You can either use a public or private APIGW. With public you will need an APIGW resource policy to restrict access to the VPC-endpoint. You can also use a private APIGW-- the only downside is AWS doesn't support custom DNS for private api gateways (you will be accessing your site using a url similar to https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}-- documentation). AWS also offers good documentation on creating an apigw as an s3 proxy.
In this example the flow of traffic would go: client-> vpn -> vpc endpoint -> apigw -> s3
Hopefully this helps!
I'm creating a VPC to host a web app at AWS, and I want to use load balancers. Do I need to create a endpoint for elb like I have to s3?
Confusing AWS uses 'endpoint' to refer to a couple of different things. Judging by your question are you referring to this: https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/
Essentially before VPC endpoints were introduced the only way to access certain AWS services was using a public URL, this is fine unless you are working in a locked down VPC where an instance might not have access to the public internet. With the introduction of VPC endpoints a few days ago you can now access AWS service(s) directly from a private instance.
As of right now S3 is the only one supported but no doubt it will be rolled out to similar services, e.g. DynamoDB, SQS, SNS, etc in the near future.
The exception to this is services that are able to live inside a VPC that you create, i.e. when creating them you tell them which VPC, and often subnet as well where they should be created. Examples of this are ELB, RDS, EC2, Redshift, etc. For these there is no need to create an endpoint, they already exist in your VPC and can be accessed directly.