{"id":15169278,"url":"https://github.com/jmoney/aws-privatelink-poc","last_synced_at":"2026-02-05T21:31:52.063Z","repository":{"id":226544262,"uuid":"768968228","full_name":"jmoney/aws-privatelink-poc","owner":"jmoney","description":"This is a POC to demonstrate an issue with AWS PrivateLink. The issue is what CIDR do you lock down the NLB in an VPC Endpoint Service too to allow the consumer to access the private link.","archived":false,"fork":false,"pushed_at":"2025-01-01T03:15:01.000Z","size":33,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-13T09:53:48.174Z","etag":null,"topics":["aws","github-site","license-management","mkdocs"],"latest_commit_sha":null,"homepage":"https://www.jmoney.dev/aws-privatelink-poc","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jmoney.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-08T04:17:38.000Z","updated_at":"2024-03-11T02:32:00.000Z","dependencies_parsed_at":"2024-03-08T06:34:08.269Z","dependency_job_id":"244decb7-0e1f-4e9c-846e-52780e697461","html_url":"https://github.com/jmoney/aws-privatelink-poc","commit_stats":null,"previous_names":["jmoney/aws-privatelink-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jmoney/aws-privatelink-poc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmoney%2Faws-privatelink-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmoney%2Faws-privatelink-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmoney%2Faws-privatelink-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmoney%2Faws-privatelink-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jmoney","download_url":"https://codeload.github.com/jmoney/aws-privatelink-poc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jmoney%2Faws-privatelink-poc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29135047,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-05T20:50:26.975Z","status":"ssl_error","status_checked_at":"2026-02-05T20:49:26.082Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","github-site","license-management","mkdocs"],"created_at":"2024-09-27T07:01:08.062Z","updated_at":"2026-02-05T21:31:52.033Z","avatar_url":"https://github.com/jmoney.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# private-link-poc\n\nThis is a POC to demonstrate an issue with AWS PrivateLink.  The issue is that when the security group on the network load balancer for this provider is locked down to the consumer ip addresses there is a gateway timeout through a LB.  The security group of the NLB needs to be set further upstream to the source IP addresses, in this case the private IPs of the ALB, rather than the consumer IPs.\n\n## Setup\n\n```bash\nterraform init\nterraform apply -var input_provider_ingress=\"alb\"\n```\n\nThis will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service.  The NLB is pointed at an instance running a simple echo server.  The security group on the NLB is locked down to the ALB private IPs.\n\n```bash\nterraform init\nterraform apply -var input_provider_ingress=\"consumers\"\n```\n\nThis will create a public ALB pointed at a VPC endpoint mapped to an NLB via a VPC Endpoint Service.  The NLB is pointed at an instance running a simple echo server.  The security group on the NLB is locked down to the consumer private IPs.\n\n## Testing\n\nTo test this POC, you can run the following command:\n\n```bash\ncurl -s -v \"http://$(terraform output -json | jq -r .public_lb_dns)/http\"\n```\n\nTo log into the instance you can use session manager:\n\n```bash\naws ssm start-session --target $(terraform output -json | jq -r .echo_server_id)\n```\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | 5.40.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.40.0 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_consumer\"\u003e\u003c/a\u003e [consumer](#module\\_consumer) | ./modules/consumer | n/a |\n| \u003ca name=\"module_consumer_network\"\u003e\u003c/a\u003e [consumer\\_network](#module\\_consumer\\_network) | ./modules/network_segment | n/a |\n| \u003ca name=\"module_echo_server\"\u003e\u003c/a\u003e [echo\\_server](#module\\_echo\\_server) | ./modules/echo_server | n/a |\n| \u003ca name=\"module_provider\"\u003e\u003c/a\u003e [provider](#module\\_provider) | ./modules/provider | n/a |\n| \u003ca name=\"module_provider_network\"\u003e\u003c/a\u003e [provider\\_network](#module\\_provider\\_network) | ./modules/network_segment | n/a |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_lb.public_lb](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/lb) | resource |\n| [aws_lb_listener.public_lb](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/lb_listener) | resource |\n| [aws_lb_target_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/lb_target_group) | resource |\n| [aws_lb_target_group_attachment.consumers](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/lb_target_group_attachment) | resource |\n| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/security_group) | resource |\n| [aws_security_group_rule.private_link_provider_ingress](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/resources/security_group_rule) | resource |\n| [aws_network_interface.alb_eni](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/data-sources/network_interface) | data source |\n| [aws_network_interface.consumer_network_interface](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/data-sources/network_interface) | data source |\n| [aws_network_interfaces.alb_enis](https://registry.terraform.io/providers/hashicorp/aws/5.40.0/docs/data-sources/network_interfaces) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_provider_ingress\"\u003e\u003c/a\u003e [provider\\_ingress](#input\\_provider\\_ingress) | Where to grab the IPs for the NLB provider security group. | `string` | `\"alb\"` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_consumer_ips\"\u003e\u003c/a\u003e [consumer\\_ips](#output\\_consumer\\_ips) | IP addresses of the consumer network interfaces |\n| \u003ca name=\"output_echo_server_id\"\u003e\u003c/a\u003e [echo\\_server\\_id](#output\\_echo\\_server\\_id) | value of the echo server's instance ID |\n| \u003ca name=\"output_private_link_vpcs\"\u003e\u003c/a\u003e [private\\_link\\_vpcs](#output\\_private\\_link\\_vpcs) | VPC IDs of the provider and consumer networks |\n| \u003ca name=\"output_provider_service_name\"\u003e\u003c/a\u003e [provider\\_service\\_name](#output\\_provider\\_service\\_name) | value of the provider service name |\n| \u003ca name=\"output_public_lb_dns\"\u003e\u003c/a\u003e [public\\_lb\\_dns](#output\\_public\\_lb\\_dns) | value of the public load balancer's DNS name |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjmoney%2Faws-privatelink-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjmoney%2Faws-privatelink-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjmoney%2Faws-privatelink-poc/lists"}