Create a VPC endpoint service

Hello Everyone

Welcome to CloudAffaire and this is Debjeet

In the last blog post, we have created a VPC interface endpoint.

https://cloudaffaire.com/create-a-vpc-interface-endpoint/

In this blog post, we are going to create a VPC endpoint service that can be used with VPC interface endpoint. Below is the configuration diagram for this demo.

VPC endpoint service: You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service also referred to as an endpoint service. Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the service provider, and the AWS principals that create connections to your service are service consumers.

In this demo, we are going to create a VPC endpoint service and then consume this service using an endpoint interface. Below are the prerequisites for this demo

• One VPC with a private subnet and EC2 instance hosted inside it.
• One VPC with a private instance and an NLB with EC2 instance as a target hosted in the private subnet.

We have already created the VPC’s and subnets and configured the NLB as depicted in the above configuration diagram.

Next, we are going to create the VPC endpoint service using NLB DNS.

Create a VPC endpoint service:

Step 1: Login to AWS console and navigate to ‘VPC’.

Step 2: Navigate to ‘Endpoint Services’ and click ‘Create Endpoint Service’.

Step 3: Select the network load balancer, acceptance required option and click ‘Create service’.

Note: Select the checkbox ‘Require acceptance for endpoint’ to accept connection requests to your service manually. If you do not select this option, endpoint connections are automatically accepted.

One success message will be displayed, click ‘Close’.

Our VPC endpoint service successfully created.

Note: Please copy the service name which will be consumed by the service consumer and will be required while creating the VPC interface endpoint.

Next, we will add permission for the service consumer account principle to enable the interface endpoint connection to this service.

Step 4: Click ‘Add principle to whitelist’ located under ‘Whitelisted principles’.

Step 5: Provide the account ARN and click ‘Save’.

Note: For an AWS account (and therefore all principals in the account), the ARN is in the form arn:aws:iam::aws-account-id:root. For a specific IAM user, the ARN is in the form arn:aws:iam::aws-account-id:user/user-name. For a specific IAM role, the ARN is in the form arn:aws:iam::aws-account-id:role/role-name. You can also grant access to everyone by putting * (star).

Our endpoint service (service provider) successfully created. Next, we are going to create the VPC interface endpoint (service consumer).

Step 6: Navigate to ‘Endpoints’ and click ‘Create Endpoint’.

Step 7: Provide the endpoint service name and click ‘Verify’.

Step 8: Select your VPC, subnet and security group as per the configuration diagram and click ‘Create endpoint’.

One success message will be displayed, click ‘Close’.

Our interface endpoint (service consumer) successfully created.

Note: In our configuration, we have specified that any interface endpoint connection requests to our service must be manually accepted by the service provider. Hence the current status is ‘pending acceptance’.

Next, we are going to accept this interface endpoint connection request in our VPC endpoint service section.

Step 9: Navigate to ‘Endpoint Services’ and click ‘Actions’ located under ‘Endpoint Connections’ tab. Click ‘Accept endpoint connection request’.

Click ‘Yes, accept’.

Interface endpoint connection request successfully accepted and your service consumer is ready to consume the service.

If you navigate to your endpoint, the interface endpoint will be in ‘available’ state.

Hope you have enjoyed this blog post. In the next blog post, we are going to discuss VPC peering.

To get more details on VPC, please refer below AWS documentation

https://docs.aws.amazon.com/vpc/index.html