Closed philhorrocks closed 12 months ago
Re-reading this story, it reads like it's after a way to implement PrivateLink - or documentation on how to implement it. Given that Amazon maintain documentation on PrivateLink, and no internal customer has asked for this in over two years, I think we can close this one.
User Story
Transit Gateway currently does not support security group references to another VPC which attached to a separate VPC attachment. This is something that is being worked on by AWS but we have been told this is 12+ months away.
An example might be HMPPS requiring access to services in the LAA, both separate VPCs. You could allow this communication via the Transit gateway gut you would have to open up to the whole subnet CIDR on the incoming NACL to allow this communication to work. SGs would not work in this scenario.
A possible solution for this would be to bypass the TGW altogether and use the AWS private link backbone via an AWS endpoint service. An endpoint service would be created in the "Producer" VPC which would set up a load balancer and private DNS point to a service in a chosen subnet. The consumer VPC could then access these services via an associate VPC endpoint which is set up in the local VPC providing en ENI with private IP. Security groups can then be set up for the VPC endpoint making it secure and only allowing the appropriate resources access.
Reference
How to write good user stories