AWS VPC Endpoint Service

Leave a Comment / By /

Back to: AWS-Basics-Advanced

0

Securely Exposing a Private NLB to the Internet Using ALB + VPC Endpoint Service

An application team needed to expose an internal service running behind a private Network Load Balancer (NLB) to the internet. However, the service itself was required to remain completely private, without directly attaching public IPs, NAT gateways, or internet-facing load balancers to the application subnets.

To achieve this, a joint solution was implemented by the Application Team and the Network Team using VPC Endpoint Service, Interface Endpoints, and a public ALB.

🟦 What We Achieve

We successfully built an architecture that allows public users to access a private NLB securely and indirectly.
At no point is the NLB publicly exposed.

🟩 How the Solution Works

1️⃣ Application Team

  • Deployed a Private NLB inside their VPC

  • Exposed the application over TCP/HTTP on a private port

  • Created a VPC Endpoint Service that fronts the Private NLB

  • Shared the Endpoint Service Name with the Network Team

This ensures the application remains internal, accessible only through authorized endpoints.

2️⃣ Network Team

  • Created a VPC Interface Endpoint (ENIs) to connect to the App Team’s Endpoint Service

  • The Interface Endpoint created private ENIs in their VPC (one per AZ)

  • These ENIs became the only allowed path into the Private NLB service

  • Then created a public ALB

  • Configured an IP-based Target Group containing the ENI private IPs

  • Mapped ALB listeners (HTTP/HTTPS) to this target group

This allowed the public ALB to forward traffic to the Interface Endpoint ENIs, and those ENIs connect privately to the NLB.

🟧 3️⃣ End Result: Secure Public Access to a Private System

✔ The ALB is public
✔ The target service stays private
✔ No direct route between Internet → Private NLB
✔ All traffic flows through a controlled, authorized chain
✔ No VPC peering, no transit gateway needed
✔ No private subnets are exposed
✔ No need to place application behind an internet-facing NLB

🟦 Final Flow of Traffic

Internet ---> Public ALB (80/443) ---> (IP Target Group)
Interface Endpoint ENI ---> VPC Endpoint Service ---> Private NLB ---> Application

🟩 Key Benefits 

🔐 1. Security

  • Private NLB and application stay fully internal

  • Only authorized VPC interface endpoints can connect

  • No public exposure of backend services

🔄 2. Clean Separation of Responsibility

  • App team manages backend service + NLB

  • Network team manages public accessibility and routing

🌍 3. Public Access Without Public NLB

  • ALB is the only public entry point

  • Backend is 100% private

🔗 4. Flexible Cross-VPC / Cross-Account Access

  • Endpoint service supports cross-AZ, cross-region, even cross-account usage

PROPER STEP-BY-STEP IMPLEMENTATION

—————————————

🟦 PART 1: APP TEAM WORK

—————————————

STEP 1 — Create a Private Network Load Balancer

  1. Go to EC2 → Load Balancers → Create Load Balancer

  2. Select Network Load Balancer

  3. Scheme: Internal

  4. IP Address Type: IPv4

  5. Select at least 2 private subnets

  6. Create Listener:

    • Protocol: TCP

    • Port: <APP_PORT> (example 80)

👉 This allows the NLB to be attached to a VPC Endpoint Service.

STEP 2 — Create Target Group for NLB

  1. Target Type: Instance or IP (your backend)

  2. Protocol: TCP

  3. Port: 80

  4. Register targets (EC2 private IPs / IPs)

STEP 3 — Create VPC Endpoint Service

  1. Go to VPC → Endpoint Services → Create

  2. Select your Private NLB

  3. Set:

    • Acceptance Required: ON (recommended)

  4. Add permissions:

    • Add Network Team AWS Account ID OR AWS Organization

    • arn:aws:iam::094718051319:root

AWS generates a Service Name:

com.amazonaws.vpce.<region>.vpce-svc-0ab123cdef45

👉 Share this VPC Endpoint Service Name with Network Team.

—————————————

🟦 PART 2: NETWORK TEAM WORK

—————————————

STEP 4 — Create the VPC Interface Endpoint

  1. Go to VPC → Endpoints → Create Endpoint

  2. Type: Endpoint services that use NLBs and GWLBs

  3. Paste the Service Name provided by App Team

  4. Choose VPC

  5. Choose private subnets in at least 2 AZs

  6. Create a Security Group:

    • Allow inbound <APP_PORT> from ALB Subnets

  7. Create the endpoint

This creates one ENI per subnet, each with a private IP.

Example:

  • 10.10.1.21

  • 10.10.2.36

👉 Note these IPs — they will be added to ALB Target Group.

If “Acceptance Required” was enabled:

  • App Team must Accept the endpoint connection.

STEP 5 — Create a Public ALB

  1. Go to Load Balancers → Create Load Balancer

  2. Type: Application Load Balancer

  3. Scheme: Internet-facing

  4. Select public subnets

  5. ALB Security Group:

    • Allow inbound 80/443 from Internet

    • Allow outbound to endpoint ENI IPs on 80

Listeners:

HTTP:

Listener: 80 → Forward to Target Group

HTTPS (optional):

Listener: 443 → Forward to Target Group

STEP 6 — Create ALB Target Group (VERY IMPORTANT)

  1. Target Type: IP

  2. Protocol:

Choose based on backend:

🔹 If app is HTTP → HTTP
🔹 If app is HTTPS → HTTPS

Always use the same port as Private NLB listener.

Example:

Port: 80 Protocol: HTTP

STEP 7 — Register ENI IPs as Targets

Add the Interface Endpoint ENI IPs:

10.10.1.21
10.10.2.36

Health checks:

  • Protocol: HTTP or TCP (match the target group type)

  • Path: “/” (for HTTP)

STEP 8 — Attach Target Group to ALB Listener

Select:

Listener 80 → Forward to <Target Group>

(And listener 443 if using HTTPS)

—————————————

🟩 FINAL CONNECTIVITY CHECK

—————————————

  1. Hit your ALB DNS:

http://<your-public-alb>.amazonaws.com

  1. ALB forwards to IP Target Group

  2. IPs are Interface Endpoint ENIs

  3. ENIs forward to Private NLB via VPC Endpoint Service

  4. Private NLB forwards to backend app

Everything is private except the ALB.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top