

Centralized VPC Endpoints - Why It Works for AWS Networking
Dec 17, 2024
Meg Ashby, a Senior Cloud Security Engineer at Alloy with a background at Goldman Sachs, sheds light on AWS's centralized VPC endpoints, often deemed an anti-pattern. She shares insights on transforming this unconventional setup into a cost-effective and scalable solution with strong controls and visibility. Delving into the challenges of monitoring traffic and implementing granular IAM controls, she provides valuable strategies for balancing security with network efficiency. Plus, her personal anecdotes add an enjoyable touch to the tech-heavy discussion!
AI Snips
Chapters
Transcript
Episode notes
Alloy's Centralized VPC Choice
- Alloy chose centralized VPC endpoints to reduce interface endpoint costs and manageability complexity.
- They trusted AWS services for internal traffic and routed service AWS traffic through private link to avoid the internet.
Policy Challenges in Centralized VPCs
- Centralized VPC endpoints offer one policy per endpoint, complicating granular access controls.
- Alloy overcame this by combining VPC endpoint policies with IAM conditions to maintain fine-grained permissions.
Use DNS Sharing for Control
- Use private hosted zones with alias records shared across subscribing VPCs to enable central endpoint access.
- Separate production VPCs by not associating them with the private hosted zone to enforce isolation.