AWS PrivateLink and VPC Endpoints with Spring Boot
Learn how to securely connect Spring Boot applications to AWS services using AWS PrivateLink and VPC Endpoints. This guide covers Interface Endpoints, Gateway Endpoints, PrivateLink architecture, networking, security, Spring Boot integration, and production best practices.
Introduction
Enterprise applications should never expose sensitive traffic to the public Internet when communicating with AWS services.
Consider a Spring Boot application accessing:
- Amazon S3
- Secrets Manager
- Systems Manager
- Amazon SQS
- Amazon SNS
- DynamoDB
- Amazon ECR
- Amazon OpenSearch
Without proper networking, traffic may leave the VPC and traverse the public Internet, even when protected by HTTPS.
AWS solves this problem using:
- Gateway VPC Endpoints
- Interface VPC Endpoints
- AWS PrivateLink
These services allow Spring Boot applications to communicate with AWS services entirely over the AWS private network, improving security, reducing exposure, and simplifying firewall rules.
Learning Objectives
After completing this article, you will understand:
- What is AWS PrivateLink?
- What is a VPC Endpoint?
- Gateway Endpoint
- Interface Endpoint
- Endpoint Policies
- Private DNS
- Elastic Network Interfaces (ENIs)
- Spring Boot Integration
- Security Best Practices
- Enterprise Architecture
Why Private Connectivity?
Imagine a Spring Boot application accessing Secrets Manager.
Without VPC Endpoints:
Spring Boot
↓
Internet Gateway
↓
Public Internet
↓
AWS Secrets Manager
Problems:
- Internet dependency
- Larger attack surface
- Additional routing complexity
- Difficult compliance
Solution
Use VPC Endpoints.
Spring Boot
↓
VPC Endpoint
↓
Secrets Manager
Traffic never leaves AWS.
What is a VPC Endpoint?
A VPC Endpoint enables private communication between resources in your VPC and supported AWS services.
Benefits:
- No Internet Gateway required
- No NAT Gateway required
- No public IP
- Private communication
- Better security
Types of VPC Endpoints
AWS provides two major endpoint types.
| Endpoint Type | Common Services |
|---|---|
| Gateway Endpoint | S3, DynamoDB |
| Interface Endpoint | Secrets Manager, SQS, SNS, ECR, CloudWatch, OpenSearch |
High-Level Architecture
flowchart LR
SpringBoot
VPCEndpoint
AWSService
SpringBoot --> VPCEndpoint
VPCEndpoint --> AWSService
Enterprise Architecture
flowchart TD
Users
ALB
SpringBoot
PrivateSubnet
VPCEndpoints
SecretsManager
SQS
SNS
S3
CloudWatch
Users --> ALB
ALB --> SpringBoot
SpringBoot --> PrivateSubnet
PrivateSubnet --> VPCEndpoints
VPCEndpoints --> SecretsManager
VPCEndpoints --> SQS
VPCEndpoints --> SNS
VPCEndpoints --> S3
VPCEndpoints --> CloudWatch
Gateway Endpoint
Gateway Endpoints are used only for:
- Amazon S3
- Amazon DynamoDB
They are free to create.
Traffic remains inside the AWS network.
Gateway Endpoint Architecture
flowchart LR
SpringBoot
RouteTable
GatewayEndpoint
S3
SpringBoot --> RouteTable
RouteTable --> GatewayEndpoint
GatewayEndpoint --> S3
Interface Endpoint
Interface Endpoints create an Elastic Network Interface (ENI) inside your subnet.
Supported services include:
- Secrets Manager
- SQS
- SNS
- ECR
- CloudWatch
- OpenSearch
- KMS
- STS
- Systems Manager
Interface Endpoint Architecture
flowchart LR
SpringBoot
ElasticNetworkInterface
SecretsManager
SpringBoot --> ElasticNetworkInterface
ElasticNetworkInterface --> SecretsManager
AWS PrivateLink
AWS PrivateLink extends Interface Endpoints.
It enables:
- Private communication between VPCs
- Private SaaS access
- Private microservice exposure
- Cross-account connectivity
Without exposing services publicly.
PrivateLink Architecture
flowchart LR
ConsumerVPC
PrivateLink
ProviderVPC
SpringBoot
InternalService
ConsumerVPC --> PrivateLink
PrivateLink --> ProviderVPC
SpringBoot --> ConsumerVPC
ProviderVPC --> InternalService
Real-Time Use Cases
PrivateLink is commonly used for:
- Banking applications
- Healthcare platforms
- Insurance systems
- Internal APIs
- Shared enterprise platforms
- SaaS integrations
- PCI compliant systems
Spring Boot Example
Spring Boot needs:
- Database password
- API keys
- OAuth credentials
Instead of Internet:
Spring Boot
↓
Private Endpoint
↓
AWS Secrets Manager
Example Services
Use Interface Endpoints for:
| Service | Endpoint |
|---|---|
| Secrets Manager | Interface |
| SQS | Interface |
| SNS | Interface |
| ECR | Interface |
| CloudWatch | Interface |
| OpenSearch | Interface |
| STS | Interface |
Use Gateway Endpoints for:
| Service | Endpoint |
|---|---|
| Amazon S3 | Gateway |
| DynamoDB | Gateway |
Step 1 Create Interface Endpoint
AWS Console
↓
VPC
↓
Endpoints
↓
Create Endpoint
Choose Service
Example
Secrets Manager
Choose VPC
Select
Production VPC
Choose Subnets
Select
Private Subnets
AZ-1
AZ-2
Security Group
Allow
HTTPS
443
Only from
Spring Boot Security Group
Enable Private DNS
Enable
Private DNS
Now Spring Boot automatically resolves
secretsmanager.us-east-1.amazonaws.com
to the private endpoint.
Step 2 Create Gateway Endpoint
AWS Console
↓
VPC
↓
Endpoints
↓
Gateway Endpoint
Choose
Amazon S3
Associate Route Tables.
No application changes required.
Endpoint Policy
Limit access.
Example:
Allow only
Read
Bucket
codewithvenu-assets
Deny every other bucket.
Spring Boot Architecture
flowchart TD
Browser
ALB
SpringBoot
SecretsManager
S3
Browser --> ALB
ALB --> SpringBoot
SpringBoot --> SecretsManager
SpringBoot --> S3
Spring Boot Configuration
Maven
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
</dependency>
application.yml
aws:
region: us-east-1
No endpoint URL is required when Private DNS is enabled.
Authentication
Never use Access Keys.
Instead use:
- IAM Role
- EC2 Instance Profile
- ECS Task Role
- EKS IAM Role for Service Account (IRSA)
Traffic Comparison
Without Endpoint
Spring Boot
↓
Internet
↓
AWS Service
With Endpoint
Spring Boot
↓
VPC Endpoint
↓
AWS Service
Security Benefits
Benefits include:
- No public IP
- No Internet Gateway
- No NAT Gateway dependency
- Reduced attack surface
- Better compliance
- Private AWS backbone
- IAM integration
Monitoring
Monitor using CloudWatch:
- Endpoint Connections
- Bytes Processed
- Network Errors
- Connection Count
- Security Group Logs
Common Errors
Timeout
Check:
- Security Group
- Endpoint State
- Route Table
Access Denied
Verify:
- IAM Role
- Endpoint Policy
- Resource Policy
DNS Resolution Failed
Verify:
- Private DNS enabled
- VPC DNS Hostnames enabled
- VPC DNS Resolution enabled
Production Architecture
flowchart TD
Internet
CloudFront
AWSWAF
ALB
SpringBootAZ1
SpringBootAZ2
VPCEndpoints
SecretsManager
SQS
SNS
S3
CloudWatch
Internet --> CloudFront
CloudFront --> AWSWAF
AWSWAF --> ALB
ALB --> SpringBootAZ1
ALB --> SpringBootAZ2
SpringBootAZ1 --> VPCEndpoints
SpringBootAZ2 --> VPCEndpoints
VPCEndpoints --> SecretsManager
VPCEndpoints --> SQS
VPCEndpoints --> SNS
VPCEndpoints --> S3
VPCEndpoints --> CloudWatch
Best Practices
- Keep Spring Boot in private subnets
- Use Gateway Endpoints for S3 and DynamoDB
- Use Interface Endpoints for AWS APIs
- Enable Private DNS
- Use IAM Roles instead of Access Keys
- Restrict endpoint policies
- Monitor CloudWatch metrics
- Avoid unnecessary NAT Gateway traffic
- Enable VPC Flow Logs
- Deploy endpoints in multiple Availability Zones
- Keep all sensitive communication inside AWS
Developer Checklist
Before production deployment:
- VPC created
- Private subnets configured
- Interface Endpoints created
- Gateway Endpoints created
- Private DNS enabled
- IAM Roles attached
- Security Groups configured
- Endpoint Policies configured
- CloudWatch monitoring enabled
- VPC Flow Logs enabled
Interview Questions
What is AWS PrivateLink?
AWS PrivateLink enables private connectivity between VPCs, AWS services, and SaaS applications without traversing the public Internet.
What is a VPC Endpoint?
A VPC Endpoint provides private connectivity from a VPC to supported AWS services.
Difference between Gateway Endpoint and Interface Endpoint?
| Gateway Endpoint | Interface Endpoint |
|---|---|
| S3 & DynamoDB | Most other AWS services |
| Uses Route Tables | Uses ENIs |
| No hourly endpoint charge | Hourly endpoint charge plus data processing |
Why enable Private DNS?
Private DNS allows applications to use the standard AWS service hostname while automatically resolving it to the private VPC endpoint.
Why should Spring Boot applications use VPC Endpoints?
To improve security, eliminate public internet traffic, reduce dependency on NAT Gateways, and simplify compliance.
Summary
In this article, we explored AWS PrivateLink and VPC Endpoints for Spring Boot applications.
We covered:
- VPC Endpoint fundamentals
- Gateway Endpoints
- Interface Endpoints
- AWS PrivateLink
- Private DNS
- IAM integration
- Security architecture
- Spring Boot integration
- Monitoring
- Production best practices
Using PrivateLink and VPC Endpoints is a fundamental security best practice for enterprise AWS applications. By keeping communication entirely on the AWS private network, you can build Spring Boot systems that are more secure, compliant, and resilient while reducing operational complexity.
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...