Connect On-Prem Services Using AWS VPC Endpoint Services

Owned by Brandon Godwin
Last updated: Jul 24, 2024
3 min read

Overview

AWS VPC Endpoint Services allow you to expose your internal services, such as Jira or Gitlab, to Allstacks via a secure VPC-to-VPC connection that doesn’t require Internet access to your internal services. You can read more about this AWS feature here:
https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service-overview.html

In the AWS documentation, you’ll see reference to Service Providers and Service Consumers. In this scenario, you are the Service Provider and Allstacks is the Service Consumer.

Set Up

  1. Create a new Target Group in the EC2 console for each service that will be exposed to Allstacks.

    1. If the service is running on an EC2 instance in AWS, you can select Instances for the target type. In this situation, all resources covered in this guide should be created in the region and availability zone(s) running the service.

    2. If the service is outside of AWS and accessible over a VPN or AWS Direct Connect, choose the IP Address target type.

    3. Configure the target protocol as TCP and specify the port that the service listens on.

  2. Create a new Network Load Balancer in the EC2 console for each service that will be exposed to Allstacks.

    1. Choose scheme Internal. The NLB can be created in private subnets without a direct Internet Gateway attachment. The NLB will be exposed to Allstacks via VPC endpoint services.

    2. Choose the correct VPC and subnet(s) that the service is running in.

    3. Configure the listener to use the same port that the service uses, and point it to the target group created above.

  3. Once the NLB is finished provisioning, return to the Target Group details page and wait for the target to reach Healthy status.

    1. If the target is reported as Unhealthy, ensure that the security group or any intermediary firewalls allow traffic on the target service port from IP addresses in the subnet(s) used by the NLB. The NLB doesn’t have an associated security group, so IP address based rules must be used in security groups.

  4. In the VPC console, create a new Endpoint Service for each service that will be exposed to Allstacks.

    1. Select the previously created NLB. Once selected, make note of the Included Availability Zones. You will need to provide Allstacks with this information.

    2. Optionally, uncheck the Require acceptance for endpoint option. This allows the connection to be automatically accepted again if Allstacks needs to relocate the interface endpoint within the Allstacks network. Unchecking this doesn’t mean that the service is available to everyone, since access is controlled via a separate ACL.

  5. Once the new Endpoint Service is created, take note of the Service Name in the Endpoint Service details. This will need to be provided to Allstacks to set up the connection.

  6. On the Allow-listed principals tab of the Endpoint Service details, you will need to add an ARN that we provide to allow the Allstacks AWS account to establish a connection to the service. Please contact support to get the specific ARN you will need to use.

  7. Once the Endpoint Services have been configured for all exposed services, contact Allstacks support to continue connecting your tools to Allstacks. Provide the following information:

    1. Endpoint Service Name

    2. The region and availability zone(s) that the endpoint service is configured in.

    3. The DNS names and ports used for internal access to each of the services.