I know the basics of privatelink and how it creates an ENI inside the VPC which can be resolved from a service outside the VPC.
I want to understand how it truly works under the hood by steps, but can't wrap my head around it all.
After digging, I found this talk https://www.youtube.com/watch?v=8gc2DgBqo9U, but I can't organize all the steps that actually happen easily.
So how I see it is,
There are a lot of incomprehension and blackboxes in how I explain it, because it's still vague to me. It looks like it's "private" but only on the software level, but it is privately public inside the AWS network.
Thanks for enlightening me.
AWS PrivateLink creates an Elastic Network Interface (ENI) within your VPC when you establish an interface endpoint for a supported AWS service. The ENI acts as the gateway for communication with the service. When a resource within your VPC needs to communicate with the service, the traffic is directed to this ENI through the VPC's route table.
Once the traffic reaches the ENI, it enters AWS's internal networking layer, known as Hyperplane. Hyperplane is responsible for managing network traffic across the AWS global infrastructure. It routes the traffic efficiently to its destination, optimizing for performance and reliability.
At the edge of the AWS network, specialized networking devices called blackedge devices handle the physical aspects of network communication. These devices ensure that packets are forwarded accurately and efficiently to their intended destinations. They play an important role in determining the optimal path for delivering traffic within the AWS network.
From the perspective of your VPC, communication with the service appears private and isolated. This is because the traffic remains within the AWS network infrastructure throughout its journey. It does not traverse the public internet or external networks, for security and privacy.