2

I am working on a project where I need to send messages to a partner via AWS PrivateLink. Because these messages contain PII, the data needs to be secure. I have been unable to determine from internet searching whether data transmitted over PrivateLink is encrypted. Is it encrypted or am I responsible for providing this service?

If the latter, how would I go about doing that? It seems that typical transport-layer encryption such as TLS cannot work here because the actual TCP connections between the VPCs are through VPC endpoints (i.e. outside of my control). Does this mean that I'd have to implement some kind of application-layer encryption? Or perhaps if I send TLS-encrypted traffic to the VPC endpoint, it will just forward along to the destination no problem?

Daniel
  • 123
  • 6
  • Nothing in the AWS PrivateLink description mentions encryption. It seems to just be a method of making sure the traffic only is routed internally within Amazon's AWS infrastructure. This means you should be encrypting any communications yourself even if they go over PrivateLink. – Daisetsu Mar 06 '19 at 19:18

2 Answers2

4

AWS Privatelink isn't going to provide you anything special (or prevent anything you were already doing) in the way of encryption. It is a way to directly connect VPCs without having the traffic leave Amazon's network. This won't prevent you from using TLS since that is negotiated at the endpoints (your partner's server and your client for instance). The network doesn't care about the packet's payload...just its header/footer info.

DarkMatter
  • 2,671
  • 2
  • 5
  • 23
0

The following AWS documentation states that PrivateLink traffic is encrypted, which includes traffic by VPC endpoints.

"Data being exchanged over an AWS PrivateLink is also encrypted."

Source: https://aws.amazon.com/privatelink/faqs/#:~:text=Data%20being%20exchanged%20over%20an,provides%20service%20to%20whitelisted%20customers.

Zack
  • 486
  • 2
  • 6