CoursesAWS security engineeringNetwork security & segmentation

Private endpoints & east-west TLS

PrivateLink, endpoint policies, mTLS internally.

Advanced30 min · lesson 12 of 15

Two habits quietly leave AWS data exposed: sending traffic to managed services across the public internet, and trusting the internal network enough to run it in plaintext. Private connectivity and end-to-end encryption close both.

Reach services privately

A managed database, queue, or partner API with a public endpoint does not have to be reached over the internet. Gateway endpoints (S3, DynamoDB) and Interface endpoints / PrivateLink project a service into your VPC as a private interface, so the data plane stays on the AWS backbone. That removes a whole class of exposure — no public route to firewall, no data on the open internet — and access is governed by your network policy plus IAM. Endpoint policies further scope which actions and resources are reachable through the endpoint.

lock an S3 gateway endpoint to one bucket
# Endpoint policy: traffic through this VPC endpoint can only touch our bucket,
# so even a broad IAM policy cannot exfiltrate to an arbitrary S3 bucket.
{
"Statement": [{
"Effect": "Allow", "Principal": "*",
"Action": ["s3:GetObject","s3:PutObject"],
"Resource": ["arn:aws:s3:::acme-data/*"]
}]
}

TLS everywhere, including east-west

Terminating TLS at the ALB and letting the internal hop run plaintext leaves every service-to-service call exposed inside the VPC. Push encryption to the workload: use ACM certificates on internal listeners, or a service mesh (App Mesh, Istio) that transparently wraps east-west traffic in mutual TLS with short-lived, auto-rotated identity certs. Assume the internal network is hostile — "internal" is not a security property.

Private + encrypted end to end
1workload in private subnet
no public route
2VPC / PrivateLink endpoint
service reached over AWS backbone
3endpoint + IAM policy
scoped actions and resources
4mTLS east-west
no plaintext internal hop
Keep the data plane private and encrypt every hop, including service-to-service. Public endpoints exist, but your workloads never use them.
Edge-only TLS is a soft interior
If TLS stops at the load balancer, anyone who gains a foothold inside the VPC — a compromised instance, a packet capture, a rogue sidecar — reads and modifies east-west traffic freely. Encrypt service-to-service with mutual authentication; internal networks are not inherently trusted.