A 3rd party service (think banking service, for instance) recommends it's clients to use SSL/TLS certificate for secure communication.
I have a private service hosted in private subnet in AWS VPC. This service initiates a conversation with this 3rd-party service in the internet via NAT Gateway. Where do I place the public SSL/TLS certificate of this 3rd party service if:
I were to host this service in EC2 instance in private subnet?
I were to host this service in private kubernetes/EKS cluster?
In short, the crux of the problem is about the service being in a private cluster and that it is the one initiating the request that needs to be encrypted using the public TLS Certificate given by the 3rd-party service provider.
Adding SSL/TLS for private is bit tricky process. For
I were to host this service in EC2 instance in private subnet?
You can put servers in ALB and then add SSL from ACM in listeners.
More info on the situation will be helpful for better solutions
What is the difference between Private Link and VPC endpoint? As per the documentation it seems like VPC endpoint is a gateway to access AWS services without exposing the data to internet. But the definition about AWS private link also looks similar.
Reference Link:
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html
Does Private Link is the superset of VPC endpoint?
It would be really helpful if anyone provides the difference between these two with examples!
Thanks in Advance!
AWS defines them as:
VPC endpoint — The entry point in your VPC that enables you to connect privately to a service.
AWS PrivateLink — A technology that provides private connectivity between VPCs and services.
So PrivateLink is technology allowing you to privately (without Internet) access services in VPCs. These services can be your own, or provided by AWS.
Let's say that you've developed some application and you are hosting it in your VPC. You would like to enable access to this application to services in other VPCs and other AWS users/accounts. But you don't want to setup any VPC peering nor use Internet for that. This is where PrivateLink can be used. Using PrivateLink you can create your own VPC endpoint services which will enable other services to use your application.
In the above scenario, VPC interface endpoint is a resource that users of your application would have to create in their VPCs to connect to your application. This is same as when you create VPC interface endpoint to access AWS provided services privately (no Internet), such as Lambda, KMS or SMS.
There are also Gateway VPC endpoints which is older technology, replaced by PrivateLink. Gateways can only be used to access S3 and DynamoDB, nothing else.
To sum up, PrivateLink is general technology which can be used by you or AWS to allow private access to internal services. VPC interface endpoint is a resource that the users of such VPC services create in their own VPCs to interact with them.
Suppose there is a website xyz.com that I am hosting in a bunch of Ec2 instances, exposed to the outside world thru a Network load balancer.
Now, a client who has his/her own AWS account, wants to access this xyz.com from an Ec2 running in their aws account.
One approach is to go thru the Internet.
However the client wants to avoid the internet route.
He/she wants to use the AWS backbone to reach xyz.com.
The technology that enables that, is AWS Private link.
(note that if you search for Private Link in the AWS services, there will be none.
You will get "End point services" as the closest hit)
So, this is how to route traffic through the AWS backbone:
I, the owner of xyz.com, will create a VPC End Point Service (NOTE the keyword Service here)
The VPC End point service will point to my Network load balancer.
I will then give my VPC End point service name to the client.
The client will create a VPC End Point (NOTE.. this is different from #1).
While creating it, the client will specify the VPC End Point Service name (from #1) that he got from me.
I can choose to be prompted to accept the connection from the client to my VPC End point service.
As soon as I accept it, then the client can reach xyz.com from his/her EC2 instance.
There is no Internet, no direct connect or VPN.. this simply works; and its secure.
And which technology enabled it.. AWS Private link !!!
PRIVATE LINK IS THE ONLY TECHNOLOGY THAT ALLOWS 2 VPCS TO CONNECT THAT HAVE OVERLAPPING CIDR RANGES.
A useful way in understanding differences is in how they technically connect private resources to public services.
Gateway Endpoints route traffic by adding prefix lists within a VPC route table which targets the Gateway endpoint. It is a logical gateway object similar to a Internet Gateway.
In contrast, an Interface Endpoint uses Privatelink to inject into a VPC at the subnet level, via an Elastic Network Interface (ENI), giving network interface functionality, and therefore, DNS and private IP addressing as a means to connect to AWS public services, rather than simply being routed to it.
The differences in connections offer differing advantages and disadvantages (availability, resiliency, access, scalability, and etc), which then dictates how best to connect private resources to public services.
Privatelink is simply a very much abstracted technology to allow a more simplified connection by using DNS. The following AWS re:Invent offers a great overview of Privatelink: https://www.youtube.com/watch?v=abOFqytVqBU
As you correctly mentioned in the question that both VPC endpoint and AWS private link do not expose to internet. On AWS console under VPC, there is a clear option available to create an endpoint. But there is no option/label to create AWS private link. Actually, there is one more option/label called endpoint service. Creating endpoint service is one way to establish AWS private link. At one side of this AWS private link is your endpoint service and at the other side is your endpoint itself. And interestingly we create both these sides in two different VPCs. In other words, you are connecting two VPCs with this private link (instead of using internet or VPC peering).
understand like,
VPC1 got endpoint service ----> private link -----> VPC2 got endpoint
Here endpoint service side is service provider while endpoint is service consumer. So when you have some service (may be some application or s/w) that you think other VPC endpoints can consume you create endpoint service at your end and consumers will create endpoints at there end. When consumers create endpoints at their end they have to give/select your service name and thus private link will be established with your service.
Ultimately you can have multiple consumers of your service just like one to many relationship.
We are thinking of using our own Private Certificate Authority within AWS. Using the information provided here were able to create a private certificate and import it into ACM. However when we try to refer this private certificate when creating a Custom Domain in ApiGateway(via terraform) we get an error that the certificate does not exist. If we try to create the custom domain via the AWS console, the certificate doesnt show up at all.. Do certificates have any iam policy associated with them?
ACM's Private Certificate Authority is only for internal use within your company:
This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization
Certificates issued by a private CA are trusted only within your organization, not on the internet.
You can't use them on API Gateway. For that you require public certificates which you can get for free from ACM.
If your private certificate is managed by ACM, you should be able to use it on API gateway:
With ACM Private CA you can choose to delegate certificate management to ACM for certificates used with ACM-integrated services, such as Elastic Load Balancing and API Gateway.
I set up a Elastic Beanstalk flask server and have a public url. I want to restrict EBS to access publicly but only through API Gateway.
Can someone help me a simple easy procedure to accomplish this. thank you.
Option One - Certificates
You can generate a self-signed certificate on your API gateway, then give the EBS instance the public key. When your EBS instance is called, your server checks that it has been called by the API gateway (by verifying the certificate).
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Option Two - Virtual Private Cloud
Setup a VPC with your API gateway and EBS instance on a private subnet. Allow public access to the API gateway only.
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc.html
I am spinning a new EC2 instance on demand using AMI by script using Java SDK from here at http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html
I am hosting rest API's on the newly spun EC2 instance from AMI on port 8000. I want to access instance from IP only as I will spinning many instances from base AMI when needed and will be destroying when not needed.
I want to call this API's from another web application which is hosted under HTTPS. I know it will not allow me to hit HTTP from HTTPS due to Mixed Content.
After some research, I found AWS provides ACM-Server Certificates service which can be applied to EC2. Ref http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-iam-server-certificates.html
But it works with services integrated with ACM as per document saying at below link
http://docs.aws.amazon.com/acm/latest/userguide/acm-services.html >>
You cannot install an ACM Certificate directly on your website or
application. You must install your certificate by using one of the
services integrated with ACM. For more information about these
services, see Services Integrated with AWS Certificate Manager.
Elastic Load Balancing
Amazon CloudFront
AWS Elastic Beanstalk
Amazon API Gateway AWS
CloudFormation
But I am not using any of above-mentioned services. Is there any way to achieve this and install SSSL on EC2 ip using script ?
This is a common question, because AWS ACS certificates are free.
Thus, to avoid using such certificates with other services than AWS ones, AWS never discloses the associated private keys to its customers.
To let the https server on your EC2 instance use such a certificate, AWS should give you the private key, for you to configure the https server itself.
This is why you can not use an ACS certificate with your EC2 instance. You need to configure an Elastic Load Balancing instance in front of it, so that AWS provides this ELB with your certificate and private key (or provide an HSM with this private key and connect this HSM to the ELB front-end).
Note that using an ELB instance in front of your EC2 instance, in order to be able to use a free certificate from the AWS ACS service, is probably a bad idea: certificates are often cheaper (depending on their type and duration, of course) than the ELB cost overhead.
Note that Let'sEncrypt (https://letsencrypt.org/) can provide your EC2 instance with free DV (domain validated) certificates. You just need to install the Certbot ACME client, since you have shell access to your EC2 instance.