AWS PrivateLink & Beacon
How Beacon uses PrivateLink
Beacon leverage AWS to deliver a secure, flexible platform to our customers which allows them to both innovate and run their production workloads. AWS PrivateLink is an important part of this offering because it allows us to connect client resources securely and ensure that sensitive traffic does not flow over the public internet. While these goals can be achieved with VPNs and similar technologies, PrivateLink is simpler to configure and manage, requires less expertise from clients, and is much more flexible in connecting very specific resources without inadvertently over provisioning access.
A robust monitoring and measuring system is a key part of our platform, but how do we know that system is healthy? Customers have the option of connecting their Beacon environment monitoring infrastructure to our upstream 'Monitor the Monitors' service using AWS PrivateLink. This ensures that only the components that need to interact with each other are able to without any risk to data leaks in client and Beacon environments.
Another major benefit to this approach is that clients can operate a minimal monitoring system in their environment, saving costs and management complexity, but still benefit from a globally distributed system that looks for degradation or outages beyond the client VPC that may impact them, such as network congestion or routing and DNS failures.
Quis custodiet ipsos custodes?
We do - all the time!
While at its core, our offering is a platform as a service, it's frequently deployed into client AWS accounts. We also partner with our clients, and that means that for both support and development, some means of accessing their environments is needed.
In a non-cloud environment, there would be VPNs allowing support and partner staff access to the client environment, and each of these would need to be maintained either at a network level in each region, or by each individual team member interacting with each client. AWS PrivateLink allows us to configure services in client accounts as code (IaC), deploy these as part of our standard deployment, and centrally permission and manage connectivity from our environment into each client environment as needed.
This reduces the number of VPN connections to be managed, simplifies client deployments and ensures that our stack can be consistently rebuilt with our IaC tooling.