Recently in my organization, there was a requirement to connect to a private endpoint in Account A from Account B. When such a requirement comes, VPC peering is the first solution that comes to our mind. However, if the given endpoint is hosted behind an NLB, it can simply connected via a VPC endpoint service which is powered by AWS Private Link.
In Account A, create an NLB and service endpoints respectively.
resource "aws_vpc_endpoint_service" "this" {
# The ARN of the NLB
network_load_balancer_arns = [module.nlb.arn]
# DNS of the private endpoint
private_dns_name = var.private_dns_name
# Accept or Reject endpoint connections from other AWS accounts
acceptance_required = true
tags = {
Name = "${terraform.workspace}-nlb"
}
}
resource "aws_vpc_endpoint_service_allowed_principal" "this" {
vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id
# Allow principal to create endpoint connection
principal_arn = "arn:aws:iam::${var.account_b_id}:root"
}
The Service name
is required when we configure the VPC endpoint in Account B.
Add the TXT
record to your Domain. After a successful validation the Domain verification status
will be shown as Verified.
In Account B, create a VPC endpoint for the VPC endpoint service created above.
module "vpc_endpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
...
endpoints = {
"nlb" = {
service_name = "com.amazonaws.vpce.eu-north-1.vpce-svc-0f61ad0e435a4680c"
subnet_ids = module.vpc.private_subnets
private_dns_enabled = true
service_type = "Interface"
tags = { Name = "${terraform.workspace}-nlb" }
}
}
}
Go back to Account A and accept the endpoint connection request that comes from Account B, under the Endpoint connections tab in Endpoint services.
Now try to access the private endpoint hosted in Account A from Account B.
$ curl nlb.petproject.my
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Thank you for reading!