Overview
private-link-poc
This is a POC to demonstrate an issue with AWS PrivateLink. The issue is that when the security group on the network load balancer for this provider is locked down to the consumer ip addresses there is a gateway timeout through a LB. The security group of the NLB needs to be set further upstream to the source IP addresses, in this case the private IPs of the ALB, rather than the consumer IPs.
Setup
terraform init
terraform apply -var input_provider_ingress="alb"
This will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service. The NLB is pointed at an instance running a simple echo server. The security group on the NLB is locked down to the ALB private IPs.
terraform init
terraform apply -var input_provider_ingress="consumers"
This will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service. The NLB is pointed at an instance running a simple echo server. The security group on the NLB is locked down to the consumer private IPs.
Testing
To test this POC, you can run the following command:
curl -s -v "http://$(terraform output -json | jq -r .public_lb_dns)/http"
To log into the instance you can use session manager:
aws ssm start-session --target $(terraform output -json | jq -r .echo_server_id)
Requirements
Providers
Modules
Resources
| Name |
Description |
Type |
Default |
Required |
| provider_ingress |
Where to grab the IPs for the NLB provider security group. |
string |
"alb" |
no |
Outputs