Service link private connectivity options
You can configure the service link with a private connection for the traffic between the Outposts and home AWS Region. You can choose to use AWS Direct Connect private or transit VIFs.
Select the private connectivity option when you create your Outpost in the AWS Outposts console. For instructions, see Create an Outpost.
When you select the private connectivity option, a service link VPN connection is established after the Outpost is installed, using a VPC and subnet that you specify. This allows private connectivity through the VPC and minimizes public internet exposure.
The following image shows both options to establish a service link VPN private connection between your Outposts and the AWS Region:
Prerequisites
The following prerequisites are required before you can configure private connectivity for your Outpost:
-
You must configure permissions for an IAM entity (user or role) to allow the user or role to create the service-linked role for private connectivity. The IAM entity needs permission to access the following actions:
-
iam:CreateServiceLinkedRoleonarn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts* -
iam:PutRolePolicyonarn:aws:iam::*:role/aws-service-role/outposts.amazonaws.com/AWSServiceRoleForOutposts* -
ec2:DescribeVpcs -
ec2:DescribeSubnets
For more information, see AWS Identity and Access Management for AWS Outposts
-
-
In the same AWS account and Availability Zone as your Outpost, create a VPC for the sole purpose of Outpost private connectivity with a subnet /25 or larger that does not conflict with 10.1.0.0/16. For example, you might use 10.3.0.0/16.
-
Configure the subnet security group to allow traffic for UDP 443 inbound and outbound directions.
-
Advertise the subnet CIDR to your on-premises network. You can use AWS Direct Connect to do so. For more information, see AWS Direct Connect virtual interfaces and Working with AWS Direct Connect gateways in the AWS Direct Connect User Guide.
Note
To select the private connectivity option when your Outpost is in PENDING status, choose Outposts from the AWS Outposts console and select your Outpost. Choose Actions, Add private connectivity and follow the steps.
After you select the private connectivity option for your Outpost, AWS Outposts automatically creates a service-linked role in your account that enables it to complete the following tasks on your behalf:
-
Creates network interfaces in the subnet and VPC that you specify, and creates a security group for the network interfaces.
-
Grants permission to the AWS Outposts service to attach the network interfaces to a service link endpoint instance in the account.
-
Attaches the network interfaces to the service link endpoint instances from the account.
For more information about the service-linked role, see Service-linked roles for AWS Outposts.
Important
After your Outpost is installed, confirm connectivity to the private IPs in your subnet from your Outpost.
Option 1. Private connectivity through AWS Direct Connect private VIFs
Create an AWS Direct Connect connection, private virtual interface, and virtual private gateway to allow your on-premises Outpost to access the VPC.
For more information, see the following sections in the AWS Direct Connect User Guide:
If the AWS Direct Connect connection is in a different AWS account from your VPC, see Associating a virtual private gateway across accounts in the AWS Direct Connect User Guide.
Option 2. Private connectivity through AWS Direct Connect transit VIFs
Create an AWS Direct Connect connection, transit virtual interface, and transit gateway to allow your on-premises Outpost to access the VPC.
For more information, see the following sections in the AWS Direct Connect User Guide:
