Can only a private subnet access services via VPC Endpoint? - amazon-vpc

Will only a private subnet be able to access the AWS VPC Endpoint?
I followed some of the tutorials across web, where everybody were using a private subnet to establish a connection to other services via VPC Endpoint. Can't a public subnet make private connection through VPC Endpoint?
Similarly, is it required that all the subnets be private at the client side (VPC Endpoint) in order to establish a private link (VPC Endpoint Services) ?

Access to your VPC Endpoints is provided through adding specific route in route table.
For example you have private and public subnets. They have different associated route tables and for route table which is associated to private subnet you have route for your VPC Endpoint.
So you can add route to your VPC Endpoint to route table which is associated with public subnet (Or you can use the one route table for public and privates subnets).

Related

How to to launch ECS Fargate container without public IP?

I have an ECS Fargate container app that serves the API request over the public internet.
My understanding is that this API service container can be deployed on the public subnet and that is configured with ALB DNS and target group. As we can see target group redirects the traffic to private IP of the ECS task, I guess we don't need public IP to be enabled when launching the task. However when I attempt this on ECS task launch getting an error "Resourceinitializationerror: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.eu-west-2.amazonaws.com/": dial tcp 52.94.53.88:443: i/o timeout"
If this is not workable and we need to enable public ip on the task launch, I'd prefer to restrict the public IP port access only to web service ALB for best security practice. Could someone suggest me a workable approach on this use-case pls? Thanks.
"I'd prefer to restrict the public IP port access only to web service ALB for best security practice."
Have you tried doing that? It should work fine. Since security groups are stateful, as long as the outbound rules are open, you should be able to lock down the inbound rules on the security group.
If you want remove the public IP completely, then you will need to either deploy Fargate task to a private subnet, with a route to a NAT Gateway, or add VPC endpoints to your VPC for the AWS services that the task needs to access, like ECR.

Is it possible to Public API Gateway -> VPC Link -> NLB -> Private API Gateway?

I have a VPC with multiple private API Gateways. This is so services within the VPC can call other private APIs without leaving VPC.
I have a Public API Gateway that I want my clients to engage with, but I want this Public API Gateway to have it's requests handled by the appropriate private API Gateway.
It doesn't appear that it is trivial to achieve the design I have imagined. Am I missing something? Are there alternate patterns that I should investigate?
I have tried to implement the above design, however the network load balancer requires a target group. It doesn't seem possible to register a target that is a private API Gateway. I have tried to register the VPC Endpoint IPs for the private API gateway, but health checks fail and traffic isn't routed appropriately.
I have also considered using App Mesh to handle this kind of routing, but I do not necessarily want to ship an Envoy proxy layer with each of my lambdas.

Access on prem sql server without VMs through azure data factory

Currently I have SHIR in vm which has virtual network set up to connect to on prem sql for my data factory. I want to get rid of the VM and still access the onprem sql using the virtual network. Is it possible to use private link service to pull the data from onprem using adf managed private endpoint? I found one resource where they do this using a VM on top of the private link service. However, that still requires a VM.
Yes, It is possible to use a private link service and a managed private endpoint to access an on-premises SQL Server instance from ADF.
Using the private IP address, you can use the managed private endpoint to connect to the on-prem SQL Server. This eliminates the use of VM.
For this, You need to create a virtual network and establish a connection to your on-premises network using a VPN or ExpressRoute.
Then you need to create a private endpoint for the SQL Server instance and use the private IP address to connect to SQL. You need to use SHIR(Which is installed on an on-premises machine and configured to connect to your virtual network) to connect to on-prem SQL via a private network using the private IP of the endpoint.

Cloudsql access from ai-platform job

Google has nice ways to connect to cloudsql from other google services but I cannot see how to connect from ai-platform jobs. As part of our training job, we need to update our cloudsql db with metrics but the only I could get it to work is by whitelisting all IPs (don't want that!) in the cloudsql and connecting via the public IP. I don't see an option to add cloud-sql-proxy to the trainer instance. Since the IP of the trainer instance is dynamic, we cannot reliably add specific IP address to whitelist. Any other ways to handle this?
It looks like AI Platform supports VPC peering, so you should be able to connect to Cloud SQL using private IP.
Since Cloud SQL also uses VPC peering, you'll likely need to do the following to get the resources to connect:
Create a VPC to share (or use the "default" VPC)
Follow the steps here to setup VPC peering for AI Platform in your VPC.
Follow the steps here to setup a private IP for your instance in your VPC.
Since the resources are technically in different networks, you may need to export custom routes (Step #2) to allow the AI platform access to your Cloud SQL instance.
Alternatively to using private IP, you could keep using public IP w/ an IP allowlist coupled with Authorizing with SSL/TLS certificates. This still isn't as secure as using the proxy or private IP (as users are technically able to connect to your instance), but they'll be unable to interact with the database engine without the correct certificates.
Can you publish a PubSub message from within your training job and have it trigger a cloud function that connects to the database? AI Platform training seems to have IAM restrictions that I too am curious how to control.

Accessing Google Cloud SQL from Google Compute Engine using private network

is it possible to access Google Cloud SQL from Google Compute Engine using the private network?
It appears that Google Cloud SQL sees the public network IP for the Google Compute Engine instance.
And, the web console doesn't allow entering the instance private address.
No it is not possible to access Google Cloud SQL instances via a private IP address.
This this page confirms this, it says Note: You must use the external (public) IP address of the GCE instance ...when configuring Authorized IP Addresses to your cloud sql instance from your GCE instance.
This is now available via private services access and VPC Network Peering.
The announcement:
https://cloud.google.com/blog/products/databases/introducing-private-networking-connection-for-cloud-sql
Details:
https://cloud.google.com/sql/docs/postgres/private-ip
You can't access cloud sql from a private IP address but you can whitelist NAT instance's Public IP in order to access cloudsql from private server.